https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152993#M42883 <P>Try:</P> <PRE><CODE>source="*0307.log*" trigger0=* OR trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)+count(trigger0)) as triggerMain </CODE></PRE> Sat, 28 Feb 2015 23:59:15 GMT cpetterborg 2015-02-28T23:59:15Z https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152988#M42878 <P>I have two fields <EM>trigger0</EM> and <EM>trigger</EM> that occur several times per hour and I would like the sum (number of occurrences) of both over a one-hour timespan. I tried a lot of things from the forum but I always get "no result found".<BR /> A few examples of what I've tried:</P> <PRE><CODE>source="*0307.log*" trigger0=* trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h sum( eval(count(trigger) + count(trigger0)) ) as totaltrigger source="*0307.log*" trigger0=* trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h count(trigger) count(trigger0) </CODE></PRE> <P>It's the part after the last pipe that causes problem, I'm using the first part in other graphs.</P> Sat, 28 Feb 2015 14:28:59 GMT https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152988#M42878 Javo222 2015-02-28T14:28:59Z https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152989#M42879 <P>Your first problem may be:</P> <PRE><CODE>(trigger0=* OR trigger=*) </CODE></PRE> <P>Without seeing more of what your data looks like I can't comment further on your search, but the "no result found" problem may be taken care of with using an OR between your trigger conditions if you don't have BOTH trigger0 and trigger in every event.</P> <P><STRONG>Again, without seeing more of what your data looks like, it is hard to tell what is wrong.</STRONG></P> Sat, 28 Feb 2015 15:57:14 GMT https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152989#M42879 cpetterborg 2015-02-28T15:57:14Z https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152990#M42880 <P>both are extracted fields and there are always present in different events.<BR /> an event looks like:</P> <PRE><CODE>2015-02-22 23:59:35,255 INFO [0.809.1.31.] ......... Start executing rule with ID 304. Triggered by a MotionDetection at 05:59:35 (Utc). </CODE></PRE> Sat, 28 Feb 2015 16:22:52 GMT https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152990#M42880 Javo222 2015-02-28T16:22:52Z https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152991#M42881 <P>Ok, I almost got it. This works:</P> <PRE><CODE>source="*0307.log*" trigger0=* OR trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001| eval triggerMain = trigger01+ trigger001 </CODE></PRE> <P>But all three charts are displayed (trigger01,trigger001, triggerMain) and I would like to chart only triggerMain. I haven't managed so far</P> Sat, 28 Feb 2015 17:08:00 GMT https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152991#M42881 Javo222 2015-02-28T17:08:00Z https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152992#M42882 <P>Your search could be</P> <PRE><CODE>source="*0307.log*" trigger0=* OR trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | eval triggerMain = trigger+ trigger0 | timechart span=1h count(triggerMain) as triggerMain </CODE></PRE> <P>If for some reason that doesn't work, then you could also do</P> <PRE><CODE>source="*0307.log*" trigger0=* OR trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)) as trigger01, eval(count(trigger0)) as trigger001 | eval triggerMain = trigger01+ trigger001 | fields - trigger01 trigger001 </CODE></PRE> <P>Also, I am unclear why you need all the fancy stuff for setting earliest and latest. You may get the same result by doing this:</P> <PRE><CODE>source="*0307.log*" trigger0=* OR trigger=* | eval triggerMain = trigger + trigger0 | timechart fixedrange=F span=1h count(triggerMain) as triggerMain </CODE></PRE> Sat, 28 Feb 2015 19:53:52 GMT https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152992#M42882 lguinn2 2015-02-28T19:53:52Z https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152993#M42883 <P>Try:</P> <PRE><CODE>source="*0307.log*" trigger0=* OR trigger=* [ search trigger0=* | head 1 | eval earliest=relative_time(lastTime,"-15d") | eval latest=_time | fields earliest, latest | format "(" "(" "" ")" "OR" ")" ] | timechart span=1h eval(count(trigger)+count(trigger0)) as triggerMain </CODE></PRE> Sat, 28 Feb 2015 23:59:15 GMT https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152993#M42883 cpetterborg 2015-02-28T23:59:15Z https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152994#M42884 <P>Your second solution works fine. I need the fancy stuff because I only want to see the last 15 days of event and the latest event is not always "now".</P> Sun, 01 Mar 2015 11:19:36 GMT https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152994#M42884 Javo222 2015-03-01T11:19:36Z https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152995#M42885 <P>@Cpetterborg 's solution works fine and looks easier than lguinn</P> Sun, 01 Mar 2015 11:20:22 GMT https://community.splunk.com/t5/Splunk-Search/sum-two-fileds-count-on-linechart/m-p/152995#M42885 Javo222 2015-03-01T11:20:22Z