topic Re: Can I show the results of two different searches in one visualization? in Dashboards & Visualizations

Can I show the results of two different searches in one visualization?

zacksoft — Fri, 01 Dec 2017 14:29:57 GMT

I have two separate queries,

Query1:
host="A" OR "B" consumed
| eval consume = case (.............)
| stats count by consumed

Query2:
host="A" OR "B" produced
| eval produce = case (.............)
| stats count by produce

In the visualization tab(column chart) I get two nice chart/graph for each queries.
However, I would like a single chart/graph where both the visualization should come side by side.
Example : In X axis red bar showing the amount produced and a blue bar adjacent to it showing the amount consumed for each product.

Re: Can I show the results of two different searches in one visualization?

woodcock — Fri, 01 Dec 2017 14:47:11 GMT

Splunk can only come close like this:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Viz/VisualizationTrellis

If you need it more stuck/close together then you will have to use a tool like Sideview Utils or roll your JS/html.

Re: Can I show the results of two different searches in one visualization?

niketn — Fri, 01 Dec 2017 15:39:41 GMT

@zacksoft, what is the condition for produced and consumed (your eval command)? Ideally you should use eval after stats if possible from performance point of view. Do you mean by side by side or stacked or overlay? Since your base search remains the same you might get the stats together. But you might have to get some sample data and query for us to assist better.

Re: Can I show the results of two different searches in one visualization?

zacksoft — Tue, 29 Sep 2020 17:03:08 GMT

The eval command goes like this in Query1,
eval consume=case(like(_raw,"%orancon%"),"OrangeConsumed"
in Query2,
eval produce =case(like(_raw,"%oranpro%"),"OrangeProduced"

Yes, I guess overlay or stacked might solve my problem.

Re: Can I show the results of two different searches in one visualization?

niketn — Sat, 02 Dec 2017 02:15:56 GMT

@zacksoft, So something like orancon in your raw data gives oranges consumed and oranpro gives you orange produced. You can try query like the following:

<YourBaseSearch> ("orancon" OR "oranpro")
| stats count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced

Or if you want to show the same over time

<YourBaseSearch> ("orancon" OR "oranpro")
| timechart count(eval(searchmatch("orancon"))) as consumed count(eval(searchmatch("oranpro"))) as produced

Re: Can I show the results of two different searches in one visualization?

sundareshr — Sat, 02 Dec 2017 15:42:46 GMT

@zacksoft, you could do as @niketnilay suggests here or you can create a new field for "pro_con" or "action" (call it whatever) with two values "produced" or "consumed" and then you can chart over state. Like this should work

    host="A" OR "B" ("orancon" OR "oranpro")
    | eval pro_con=case (match(_raw, "orancon"), "consumed", match(_raw, "oranpro"), "produced", 1=1, "UNK")
    | timechart count by pro_con

    OR
    | stats count by pro_con

    OR 
    | chart count over some_other_grouping_field by pro_con

@niketnilay's search is probably more efficient, whereas the above may be more readable. More options to achieve same result.

Re: Can I show the results of two different searches in one visualization?

zacksoft — Mon, 04 Dec 2017 06:51:59 GMT

Thank You @sundareshr

Re: Can I show the results of two different searches in one visualization?

zacksoft — Mon, 04 Dec 2017 06:53:16 GMT

Thanks @niketnilay

Re: Can I show the results of two different searches in one visualization?

djkj957 — Mon, 20 May 2019 02:07:07 GMT

@sundareshr worked like a charm!!