Splunk Search

How to create a PDF report with a varying number of timecharts, dependent on unique stats results?

subtrakt
Contributor

Hi,

I have a search w/ a stats function that illustrates multiple individual errors. Once that search completes, I would like to see a 7 day the timechart for each individual error. Sometimes the report could generate 1 timechart in the PDF, or sometimes multiple errors in the pdf. Depending on what comes out of the stats.

This is the concept:
... | stats count by testERROR | where count > 10 | map timechart count by testERROR

create pdf and email with timecharts

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this

... [search ... | stats count by testERROR | where count > 10 | fields testERROR] | timechart count by testERROR

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this

... [search ... | stats count by testERROR | where count > 10 | fields testERROR] | timechart count by testERROR
0 Karma

subtrakt
Contributor

map [search index=test earliest=-2d testERROR =$testERROR $ | timechart fixedrange=F count by testERROR ]

Any idea how to make the Y axis less jumbled?

looks like its overwriting w/ each map loop

0 Karma

subtrakt
Contributor

Yes the query worked - thanks again!

0 Karma

woodcock
Esteemed Legend

If you prefer individual timecharts, then use map like this:

... | stats count by testERROR | where count > 10 | map search="search testError=$testERROR$ | timechart count"
0 Karma

woodcock
Esteemed Legend

Did this work?

0 Karma

subtrakt
Contributor

no map ? This looks like its just running a subsearch for the same thing.

I was hoping to take the output from a search and map it to individual searches w/ timecharts.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...