Solved: Use Trellis with many values by graph.

mclane1 · ‎10-06-2021

Hello,

I don't find solution here and I managed to get it to work.

First of all, if you want separate in many dashboards your seach you can do that.

index="_internal"
| timechart count by sourcetype

You can activate trellis by sourcetype.

But in each graph you want status (by exemple).

Please try this query :

index="_internal"
| bin _time
| stats count by _time, sourcetype, status
| eval {status}=count
| fields - status, count
| fillnull value=0
| stats sum(*) as * by _time, sourcetype

mclane1 · ‎10-06-2021

Use trellis in a chart (form or dashboard):

  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" 
|  bin _time
| stats count by _time, sourcetype, status
| eval {status}=count
|  fields - status, count
| fillnull value=0 
|  stats sum(*) as * by _time, sourcetype</query>
          <earliest>-15m@m</earliest>
          <latest>now</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="refresh.display">preview</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">sourcetype</option>
        <option name="height">1600</option>
      </chart>
    </panel>
  </row>

View solution in original post

mclane1 · ‎10-06-2021

Use trellis in a chart (form or dashboard):

  <row>
    <panel>
      <chart>
        <search>
          <query>index="_internal" 
|  bin _time
| stats count by _time, sourcetype, status
| eval {status}=count
|  fields - status, count
| fillnull value=0 
|  stats sum(*) as * by _time, sourcetype</query>
          <earliest>-15m@m</earliest>
          <latest>now</latest>
          <refresh>10m</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">-90</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.chart">area</option>
        <option name="charting.chart.stackMode">stacked</option>
        <option name="charting.drilldown">none</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">top</option>
        <option name="refresh.display">preview</option>
        <option name="trellis.enabled">1</option>
        <option name="trellis.scales.shared">0</option>
        <option name="trellis.size">large</option>
        <option name="trellis.splitBy">sourcetype</option>
        <option name="height">1600</option>
      </chart>
    </panel>
  </row>

Use Trellis with many values by graph.

chart

timechart

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!