Why is my search not populating the visualization ...

rwells · ‎04-28-2016

When I run this search, everything runs fine, but I don't understand why my visualization tab does not populate. Does anyone have any idea what I might be doing wrong?
What I am trying to do is convert all the files into the most appropriate size and graph them

eventtype=egress_* File_Type=*| stats sum(Detail_File_Size) as sum_of_Data by File_Type | eval Data_converted=case(       sum_of_Data>=(1024*1024*1024*1024),round(sum_of_Data/(1024*1024*1024*1024),0)."TB",      sum_of_Data>=(1024*1024*1024),round(sum_of_Data/(1024*1024*1024),0)."GB",      sum_of_Data>=(1024*1024),round(sum_of_Data/(1024*1024),0)."MB",  sum_of_Data>=1024,round(sum_of_Data/1024,0)."KB",  1=1,sum_of_Data."B")      | table File_Type, Data_converted

sundareshr · ‎04-28-2016

You need a transforming command (such as stats, timechart, or top) to return search results in a data structure that supports both tables and chart visualizations. Remove the table from the end and change your search like this

eventtype=egress_* File_Type=*| stats sum(Detail_File_Size) as Data_converted by File_Type | eval Data_converted=case( Data_converted>=(1024*1024*1024*1024),round(Data_converted/(1024*1024*1024*1024),0)."TB",      Data_converted>=(1024*1024*1024),round(Data_converted/(1024*1024*1024),0)."GB",      Data_converted>=(1024*1024),round(Data_converted/(1024*1024),0)."MB",  Data_converted>=1024,round(Data_converted/1024,0)."KB",  1=1,Data_converted."B")

Why is my search not populating the visualization tab with data?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life