I have a dashboard with a base search, three Single Values use the base search, but will only populate using stats , I would like to utilize timechart for the three Single Values to show trending data.
Each Single Value also needs to filter data so that SV1 shows all eventtypes, SV2 shows eventtype1, and SV3 shows eventtype2.
<dashboard>
<label>Single Value Dashboard</label>
<search id="base">
<query>index=main sourcetype=source</query>
</search>
<row>
<panel>
<single>
<title>All Events</title>
<search>
<query>| timechart count</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
</single>
<single>
<title>Eventtype 1</title>
<search base="base">
<query>| search eventtype=eventtype1 | timechart count by eventtype</query>
</search>
</single>
<single>
<title>Eventtype 2</title>
<search base="base">
<query>| search eventtype=eventtype2 | timechart count by eventtype</query>
</search>
</single>
</panel>
</row>
</dashboard>
I'm confused as using the SPL in Search & Reporting does return the desired result
index=main sourcetype=source | search eventtype=eventtype1 | timechart count by eventtype
... View more