https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69499#M17414 <P>I want to search 2 strings in log file, like "A string" &amp; "B String", A string should be treated as successful and B as Failure. Next I want to overlay both as line timechart, where successful events should go above x-axis and Failure events go below x-axis or they are showed as different colors.How this can be done?</P> Fri, 20 Sep 2013 18:43:49 GMT sunil_sharma 2013-09-20T18:43:49Z https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69499#M17414 <P>I want to search 2 strings in log file, like "A string" &amp; "B String", A string should be treated as successful and B as Failure. Next I want to overlay both as line timechart, where successful events should go above x-axis and Failure events go below x-axis or they are showed as different colors.How this can be done?</P> Fri, 20 Sep 2013 18:43:49 GMT https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69499#M17414 sunil_sharma 2013-09-20T18:43:49Z https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69500#M17415 <P>There are many ways, but this might be easiest.</P> <PRE><CODE>source=logfilename "A string" | eval series = "Success" | append [ search source=logfilename "B string" | eval series = "Failure" ] | timechart count by series </CODE></PRE> Fri, 20 Sep 2013 22:25:20 GMT https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69500#M17415 lguinn2 2013-09-20T22:25:20Z https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69501#M17416 <P>Thank you Iguinn,<BR /> It almost worked but how do I give alias to search string? My timechart shows Success and failure which I don't wanna show instead I want to give alias to them and also span for a day,Hi Thank you for your answer it almost worked but how do I give alias for search string and search for span of a 1day</P> Fri, 06 Mar 2015 08:44:50 GMT https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69501#M17416 SaiSirisha 2015-03-06T08:44:50Z https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69502#M17417 <P>How can I do a timechart with 2 strings and also give a Alias names to the string . How can span the reults for 1 day within same query?</P> Fri, 06 Mar 2015 09:04:21 GMT https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69502#M17417 SaiSirisha 2015-03-06T09:04:21Z https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69503#M17418 <P>You should post this as a new question, or a comment, instead of an answer to the top question.</P> <P>But to answer your answer: You can create an alias (called a <EM>search macro</EM> in Splunk) for a search string in the GUI under Settings - Advanced Search - Search Macros. To use the macro once it's been created, you have to surround your macro with backticks, like this: <CODE><CODE>myawesomemacro()</CODE></CODE>. The parenthesis are best to include, since there are cases where they are required even if you have no arguments.</P> <P>As for span, you can use <CODE>span=1d</CODE>. Check the <CODE>timechart</CODE> search command help and you will find the<CODE>span</CODE> option along with some example usage.</P> Fri, 06 Mar 2015 12:56:58 GMT https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69503#M17418 laserval 2015-03-06T12:56:58Z https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69504#M17419 <P>Hi,<BR /> I knew that I had to post as new question and I even tried but continously gave me form error. That the reason I posted my question as an answer.</P> <P>Anyways Thank you so much for the reply. it worked.<BR /> Sorry for inconvenience caused.</P> Mon, 09 Mar 2015 07:40:02 GMT https://community.splunk.com/t5/Splunk-Search/timechart-overlay-multiple-strings/m-p/69504#M17419 SaiSirisha 2015-03-09T07:40:02Z