Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Charts not populating after post processing is done.

theouhuios
Motivator
‎10-05-2012 08:09 AM

Hello

I am completely new to the post processing concept hence having few issues with coding it in xml 

`<?xml version='1.0' encoding='utf-8'?>


<![CDATA[index="main" sourcetype="incident" |dedup record.incidentId| stats count by record.assignmentGroup,record.priority ]]> `



Last 24 hours






Count by Priority - 1
<![CDATA[where record.priority="1" ]]>
bar
gaps
default
false
right

 </chart>




Count by Priority - 2
<![CDATA[where record.priority="2" ]]>
bar
gaps
default
false
right

 </chart>
 <chart>
   <title>Count by priority -3</title>
   <searchPostProcess> <![CDATA[where record.priority="3"  ]]> </searchPostProcess> 
   <option name="charting.chart">column</option> 
   <option name="charting.chart.nullValueMode">gaps</option>
   <option name="charting.chart.stackMode">stacked</option> 
   <option name="charting.layout.splitSeries">false</option> 
   <option name="charting.legend.placement">right</option> 
   <option name="count">10</option>
   <option name="displayRowNumbers">true</option> 

 </chart>


I don't know why but the data isn't getting populated in the charts. Can anyone please explain where I am doing a mistake. Any help would be great.

Thanks

Tags (1)
0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 08:00 AM

Made changes and pasted the code again. Now in the postprocess it only has the where field. Am I missing something here?

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 07:53 AM

change the post processes to just the where clause and remove the field, eg. |where record.priority=3 | fields - record.priority.
You don't have _time anymore, so you can't bucket by it. You'd need to bucket by time in the original search template.

Reply

theouhuios
Motivator
‎10-08-2012 07:51 AM

Thanks for that. But it still doesn't populate the charts below. Am I doing anything wrong in the searchTemplate ?

0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 07:50 AM

Thanks for that. But it still doesn't populate the charts below. Am I doing anything wrong in the searchTemplate ?

0 Karma
Reply

dart
Splunk Employee
Splunk Employee
‎10-08-2012 07:23 AM

The properties are searchPostProcess and searchTemplate not searchpostprocess or searchtemplate. Does that sort it out?

0 Karma
Reply

theouhuios
Motivator
‎10-08-2012 07:01 AM

Any help please?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...