I'm trying to create a pie chart in trellis view such that it shows me the number of jobs that ended in terminal or complete state. Right now the chart shows data by state and then divides the pie into months. I want the opposite. I want the headers to display months and the respective pie charts to be divided by state.
index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE| timechart count(eval(FinalState="TERMINAL")) as TERMINAL, count(eval(FinalState="COMPLETE")) as COMPLETE span=1month
Please help!!
[Updated Answer]
With further details for trellis:
Please use the following option to split by Time field which should show Month as Trellis Pie Chart Header
<option name="trellis.splitBy">Time</option>
PS: I have corrected span to 1mon
as per suggestion and strftime()
from %m
to %b
to show month abbreviation instead of month as number.
@pranaynanda, Try the following:
index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE|
| bin _time span=1mon
| eval Time=strftime(_time,"%b-%Y")
| chart count over FinalState by Time
Hey @pranaynanda, if they solved your problem, remember to "√Accept" an answer to award karma points 🙂
[Updated Answer]
With further details for trellis:
Please use the following option to split by Time field which should show Month as Trellis Pie Chart Header
<option name="trellis.splitBy">Time</option>
PS: I have corrected span to 1mon
as per suggestion and strftime()
from %m
to %b
to show month abbreviation instead of month as number.
@pranaynanda, Try the following:
index="secretindex" host=$location$ sourcetype=Logs FinalState=TERMINAL OR FinalState=COMPLETE|
| bin _time span=1mon
| eval Time=strftime(_time,"%b-%Y")
| chart count over FinalState by Time
You Rock! Thanks!
Save yourself some grief and train your users to look at it this way...
| eval Time=strftime(_time,"%Y-%m")
It's not the format of time that I wish to change. I want the charts to look in such a way that the header says the Month and then below each month it splits the respective pie by FinalState.
Is such a thing even possible?
@pranaynanda - Since @niketnilay had you handled, I just made more of a plain comment than a solution. You will save yourself a LOT of grief if you just get in the habit of using that "%Y-%m" date format.
I appreciate your concern. I can't simply understand how will that help me? Is something bad about the format I posted in?
@pranaynanda - When you put year, month, day and 24-hour format time then the human-readable values can be sorted or directly compared against each other, without changing back to epoch format. That saves massive amounts of programming.
Also, "08/11/1975" is ambiguous across cultures and locations, whereas "1975-08-11" or "1975-11-08", whichever one of those was meant, cannot be mistaken for each other. So you eliminate work and confusion at the same time.
Interesting. I understand now. I used the "%B %Y" format and then used the trellis view. Maybe there's more processing involved but there's no confusion here I guess. Thank you for the great advice btw. I can use it in other charts that I have. I never thought that reading date could be such ambiguous across cultures and boundaries. Thank you for pointing that out.
@pranaynanda - Yes, it's a major cause for confusion in multinationals. Obviously, the full written-out month name is not an issue that way, but it cannot be sorted.
Apologies for picking up this old topic and not listening to you previously but I get your concern now. Can you help me sort it while letting me visually keep the "%B %Y" format? "%Y-%m" works but I think %B %Y is visually more appealing.
@pranaynanda, Trellis Aggregate By field expects query with a by clause to be final transforming command. So, while it is possible to keep "%b %Y" format sorted using SPL. It can not be done directly via stats by clause. Which implies Trellis will loose its Aggregate By option.
So would the following suffice the need? It will retain both digit month for sorting and abbreviated Month name for clarity.
<YourBaseSearch>
| bin _time span=1mon
| eval Time=strftime(_time,"%Y-%m (%b)")
| chart count over FinalState by Time
@pranaynanda, sorry for not responding to this earlier. I have updated my answer, you should be able to do what you need through trellis option as mentioned in the updated answer: <option name="trellis.splitBy">Time</option>
You'll have to modify the span such that it reads 1mon and not 1m since m is reserved for minute.