topic Re: Can i create a single graph for two different searches . in Dashboards & Visualizations

Can i create a single graph for two different searches .

anshuman19 — Thu, 18 Jan 2018 05:26:11 GMT

I uploaded 2 csv file in splunk enterprise and when I search indivisually they show a graph I want both graph in one graph and they should be graphed with different color. My two searches are as follows:
source="D:\ASTSTCD01\Application.csv" host="USER" index="widows" sourcetype="csv"
source="D:\ASTSTCD01\Security.csv" host="USER" index="widows" sourcetype="csv"

Re: Can i create a single graph for two different searches .

mayurr98 — Thu, 18 Jan 2018 05:54:06 GMT

can you give seperate individual searches for both the graphs? you have given only main search.

Re: Can i create a single graph for two different searches .

niketn — Thu, 18 Jan 2018 06:05:11 GMT

What is the query for current graph?

You probably just need to split the transforming command by source i.e.

 <YourBaseSearch>
| stats count by source

 <YourBaseSearch>
| timechart count by source

Re: Can i create a single graph for two different searches .

anshuman19 — Thu, 18 Jan 2018 06:08:55 GMT

Suppose I searched
index="widows" "Microsoft-Windows-Security-Auditing"
index="widows" "Special Logon"
this in my search bar and I want to compare these two so I want to be in 1 graph.can we do thi
can we do this?

Re: Can i create a single graph for two different searches .

anshuman19 — Thu, 18 Jan 2018 10:25:24 GMT

what I have done is
searched a particular index in search bar and then used visualization tab to create a graph and saved it as a dashboard again searched for another index and used visualization tab to create a graph and saved saved it as panel of that dashboard. here the graph are created in panel .
But I want to have that 2 graph show on one graph so that I can compare them.

Re: Can i create a single graph for two different searches .

mayurr98 — Thu, 18 Jan 2018 10:28:13 GMT

but anshuman can you give us full query for two graphs ? you are just giving main search need full query or else give us dashboard XML

Re: Can i create a single graph for two different searches .

anshuman19 — Thu, 18 Jan 2018 10:52:43 GMT

hii @mayurr98
I am searching index for 2 time range
I am searching index like this
index="adtstdc01_ap"
with time range 24 hours
and again searching same index with time range "all time"
and saving both as dashboard.
so I am not understanding what you here mean by full query.
here is my dashboard of that.

Dash

      | pivot dash1 RootObject count(RootObject) AS "Count

of 1516272246.164" SPLITROW _time AS
_time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER
1
-24h@h
now
1

    ellipsisNone
    0
    visible
    visible
    visible
    none
    linear
    none
    linear
    none
    0
    inherit
    line
    50
    10
    area
    gaps
    none
    0.01
    default
    shiny
    none
    0
    0
    ellipsisMiddle
    standard
    none
    2
    0
    1
    medium






      | pivot dash2 RootObject count(RootObject) AS "Count

of 1516272311.182" SPLITROW _time AS
_time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER
1
0
1

    ellipsisNone
    0
    visible
    visible
    visible
    none
    linear
    none
    linear
    none
    0
    inherit
    line
    50
    10
    area
    gaps
    none
    0.01
    default
    shiny
    none
    0
    0
    ellipsisMiddle
    standard
    none
    2
    0
    1
    medium

Re: Can i create a single graph for two different searches .

mayurr98 — Thu, 18 Jan 2018 12:43:50 GMT

Your XML is not uploaded appropriately. by the way, I am asking full query because I am confused about your requirement.Are you just comparing raw logs? or you have a visualization made by commands like stats time-chart or chart?
So in order to merge two queries I need to know what sort of visualization you want.Or you are just comparing the total count of query1 and query2?

Re: Can i create a single graph for two different searches .

auraria — Mon, 22 Jan 2018 17:03:13 GMT

Couldn't you just combine both searches into one? How are you trying to display it?

(source="D:\\ASTSTCD01\\Application.csv" host="USER" index="widows" sourcetype="csv") OR (source="D:\\ASTSTCD01\\Security.csv" host="USER" index="widows" sourcetype="csv") | stats count by source

Does this working for what you're attempting to do?