topic Combine result from 2 queries into same bar chart in Splunk Search

Combine result from 2 queries into same bar chart

hardywang — Fri, 03 Jan 2020 14:36:51 GMT

I see such questions are frequently asked on this forum, but I still don't get a clear picture yet.

I have my first query index=same-index source="same-source" "first-query-static-text" | eval date=strftime(_time, "%Y-%m-%d") | chart count over date and I add it to my dashboard's panel as column chart. Everything is working fine.

My second query index=same-index source="same-source" | regex log="second-query-regex" | eval date=strftime(_time, "%Y-%m-%d") | chart count over date and I add it to my dashboard's panel as column chart. Everything is working fine.

Now I have to column charts, each from its own query.

What I want is to have 1 single column chart, each date on x axis has 2 columns (1 value from each query) and use different colours to indicate what is the value for.

Any suggestions?

Re: Combine result from 2 queries into same bar chart

jpolvino — Fri, 03 Jan 2020 20:46:10 GMT

One way to do this would be to give each search result set its own name, and use that for the series. The multisearch command may help:

| multisearch
[search index=same-index source="same-source" "first-query-static-text" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="First"]
[search index=same-index source="same-source" | regex log="second-query-regex" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="Second"]
chart count over date by seriesName

I don't use the chart command often, so this might not be solid. Using timechart the last line might look like | timechart span=1d count by seriesName

Re: Combine result from 2 queries into same bar chart

mydog8it — Fri, 03 Jan 2020 21:00:13 GMT

Give this a look and see if it is what you are after...

    index=same-index source="same-source" "first-query-static-text" 
    | bucket _time span=1d 
    | timechart count AS first_query_count 
    | appendcols 
        [ search index=same-index source="same-source" 
        | regex log="second-query-regex" 
        | bucket _time span=1d 
        | timechart count AS second_query_count 
        | fields second_query_count]

Re: Combine result from 2 queries into same bar chart

hardywang — Fri, 03 Jan 2020 21:16:19 GMT

Your suggestion worked perfectly! I will also explore timechart command.

I am learning splunk, lots to explore.

Re: Combine result from 2 queries into same bar chart

hardywang — Mon, 06 Jan 2020 14:52:32 GMT

Once I start to use timechart and simplify the query this way, I don't get anything back. Is it a wrong syntax?

| multisearch
 [search index=same-index source="same-source" "first-query-static-text" | eval seriesName="First"]
 [search index=same-index source="same-source" | regex log="second-query-regex" | eval seriesName="Second"]
 | timechart span=1d count by seriesName