Is there a way to dynamically assign chart labels using a search? My search ends with a timechart values(foo) as bar, values(baz) as qux
. I have created searches to pull out the values from Splunk for the labels, but if I replace "bar" and "qux" as subsearches, the labels get a bit missed up and the chart data skews. My current environment is Splunk Enterprise 6.4 and 6.3. What am I missing? Thanks!
Try something like this (run anywhere sample). Here I'm setting the token in the search element to dynamically get the renamed column name.
<dashboard>
<label>Dynamic_Chart Label</label>
<search>
<query>| gentimes start=-1 | eval splunkd="\"Splunk Engine\"" | eval splunk_web_access="\"Splunk Web\""| table splunkd splunk_web_access</query>
<finalized>
<condition>
<set token="splunkd">$result.splunkd$</set>
<set token="splunk_web_access">$result.splunk_web_access$</set>
</condition>
</finalized>
</search>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd OR sourcetype=splunk_web_access | timechart count by sourcetype | rename splunkd as $splunkd$ splunk_web_access as $splunk_web_access$</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
</chart>
</panel>
</row>
</dashboard>
Try something like this (run anywhere sample). Here I'm setting the token in the search element to dynamically get the renamed column name.
<dashboard>
<label>Dynamic_Chart Label</label>
<search>
<query>| gentimes start=-1 | eval splunkd="\"Splunk Engine\"" | eval splunk_web_access="\"Splunk Web\""| table splunkd splunk_web_access</query>
<finalized>
<condition>
<set token="splunkd">$result.splunkd$</set>
<set token="splunk_web_access">$result.splunk_web_access$</set>
</condition>
</finalized>
</search>
<row>
<panel>
<chart>
<search>
<query>index=_internal sourcetype=splunkd OR sourcetype=splunk_web_access | timechart count by sourcetype | rename splunkd as $splunkd$ splunk_web_access as $splunk_web_access$</query>
<earliest>-15m</earliest>
<latest>now</latest>
</search>
<option name="charting.chart">line</option>
</chart>
</panel>
</row>
</dashboard>
What version of Splunk you're using?
Splunk Enterprise 6.4 and 6.3.