Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Charts not populating after post processing is done.

theouhuios
Motivator
‎10-05-2012 08:09 AM

Hello

I am completely new to the post processing concept hence having few issues with coding it in xml 

`<?xml version='1.0' encoding='utf-8'?>


<![CDATA[index="main" sourcetype="incident" |dedup record.incidentId| stats count by record.assignmentGroup,record.priority ]]> `



Last 24 hours






Count by Priority - 1
<![CDATA[where record.priority="1" ]]>
bar
gaps
default
false
right

 </chart>




Count by Priority - 2
<![CDATA[where record.priority="2" ]]>
bar
gaps
default
false
right

 </chart>
 <chart>
   <title>Count by priority -3</title>
   <searchPostProcess> <![CDATA[where record.priority="3"  ]]> </searchPostProcess> 
   <option name="charting.chart">column</option> 
   <option name="charting.chart.nullValueMode">gaps</option>
   <option name="charting.chart.stackMode">stacked</option> 
   <option name="charting.layout.splitSeries">false</option> 
   <option name="charting.legend.placement">right</option> 
   <option name="count">10</option>
   <option name="displayRowNumbers">true</option> 

 </chart>


I don't know why but the data isn't getting populated in the charts. Can anyone please explain where I am doing a mistake. Any help would be great.

Thanks

Tags (1)
0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 08:00 AM

Made changes and pasted the code again. Now in the postprocess it only has the where field. Am I missing something here?

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 07:53 AM

change the post processes to just the where clause and remove the field, eg. |where record.priority=3 | fields - record.priority.
You don't have _time anymore, so you can't bucket by it. You'd need to bucket by time in the original search template.

Reply

theouhuios
Motivator
‎10-08-2012 07:51 AM

Thanks for that. But it still doesn't populate the charts below. Am I doing anything wrong in the searchTemplate ?

0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 07:50 AM

Thanks for that. But it still doesn't populate the charts below. Am I doing anything wrong in the searchTemplate ?

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 07:23 AM

The properties are searchPostProcess and searchTemplate not searchpostprocess or searchtemplate. Does that sort it out?

0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 07:01 AM

Any help please?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...