I'm trying to make a bar chart but for some reason i'm having some difficulty. I'd like to have it where my saved search generates the chart without having to make a dashboard. is that possible?
My search looks through a log and shows the disk usages for users home directories.
sourcetype=DiskUsageTest | rex field=_raw "(?<Space>[\d]+)\s*\/home\/(?<UserName>\S+)" max_match=1000 | table UserName Space
I'd like to put this into a bar chart. I tried piping the search to timechart as well but haven't been successful. For right now I have it piped to table to see the results.
The search will display a username and the space they are using. Each is a single event. I've looked at some documentation too and just can't seem to get this to work.
What command would I use at the end of the search to make a bar graph? i've read about timechart and stats and am a bit confused what would work. I'll keep trying but figured I'd ask here.
I'd like to have the usernames displayed on the left side of the chart and the space values at the bottom.
I tried putting | timechart avg(Space) by UserName at the end but this didn't seem to generate the results I want either.
actually I got it to work! After I messed with it for a while I finally got it. I made a dashboard and used the saved search with the "timechart" command to generate the chart. It was a bit crowded when it generated so i just stretched it down and it appears ok.
So if the dashboard bar graph is crowded to where I have to stretch it down, any way to maybe space it better? that's the next thing I will research.
So if I understand you correctly you've got the data correctly from timechart
but need to know how to get this data into a bar chart?
The search app always shows the flash timeline that you see below the search window. There is no changing this (well at least not without lots of work and/or pretty much breaking the search app). To use the stats you've gotten from timechart in a chart, use the "Show report" link to the right underneath the search button. This takes you to the report builder where you can choose the type of chart you want to use and some other things, before you finally click Apply and create the actual chart.
The last thing I am working on is having this search span for 7 days and show the top 20 users who have the highest amount of space for the last 7 days.
and above is the code from the dashboard
bar
500
UserName
Space
true
top
This was able to generate a chart for me when I put it into a dashboard XML file. host="ynfs1" sourcetype=userdiskusage earliest=-1d@d latest=-0d@d | rex field=_raw "(?