https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195872#M56470 <P>I have these two simple searches and I would like to combine them on one graph to display both "passed" and "failed" data. What is the most efficient way to do that? I would like to take this as an example for my future use.</P> <PRE><CODE>index=all-mac host=eng* "unkown MAC" OR "No MAC " OR "mismatch MAC" | timechart count as Failed span=1d </CODE></PRE> <P>and</P> <PRE><CODE>index=al-mac host=eng* "match for MAC" | timechart count as Passed span=1d </CODE></PRE> Mon, 19 Jan 2015 22:11:15 GMT raindrop18 2015-01-19T22:11:15Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195872#M56470 <P>I have these two simple searches and I would like to combine them on one graph to display both "passed" and "failed" data. What is the most efficient way to do that? I would like to take this as an example for my future use.</P> <PRE><CODE>index=all-mac host=eng* "unkown MAC" OR "No MAC " OR "mismatch MAC" | timechart count as Failed span=1d </CODE></PRE> <P>and</P> <PRE><CODE>index=al-mac host=eng* "match for MAC" | timechart count as Passed span=1d </CODE></PRE> Mon, 19 Jan 2015 22:11:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195872#M56470 raindrop18 2015-01-19T22:11:15Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195873#M56471 <P>Something like this should do..<BR /> <PRE><BR /> index=all-mac host=eng* | eval STATUS= if(searchmatch("unkown MAC"), "Failed", (if(searchmatch("No MAC"),"Failed", if(searchmatch("No MAC"), "Failed", if(searchmatch("match for MAC"), "Passed","OTHER"))))) | timechart span=1d count by STATUS<BR /> </PRE></P> Tue, 20 Jan 2015 04:33:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195873#M56471 pradeepkumarg 2015-01-20T04:33:54Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195874#M56472 <P>thanks much for your response! do you mind if you can tell me how "Passed" evaluate? the search key for passed is "match for MAC" so i am curious about that.</P> Tue, 20 Jan 2015 16:23:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195874#M56472 raindrop18 2015-01-20T16:23:12Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195875#M56473 <P>I've edited my answer to consider "match for MAC" explicitly for "Passed"</P> Tue, 20 Jan 2015 16:31:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195875#M56473 pradeepkumarg 2015-01-20T16:31:11Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195876#M56474 <P>thanks, it's working perfectly. something try to remove is "OTHER" is that must be there to work. i am only need Failed and Passed on my graph.</P> Tue, 20 Jan 2015 17:42:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195876#M56474 raindrop18 2015-01-20T17:42:09Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195877#M56475 <P>If you want to compare times, week over week for example, in your timeline there is a great app that helps with that, timewrap.</P> <P><A href="https://apps.splunk.com/app/1645/">https://apps.splunk.com/app/1645/</A></P> Tue, 20 Jan 2015 18:08:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195877#M56475 trsavela 2015-01-20T18:08:26Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195878#M56476 <P>Give this one a try which will not yield the "OTHERs"</P> <PRE><CODE>index=all-mac host=eng* "unkown MAC" OR "No MAC " OR "mismatch MAC" OR "match for MAC" | eval STATUS= if(searchmatch("match for MAC"), "Passed", "Failed") | timechart span=1d count by STATUS </CODE></PRE> <P>Basically, base search itself filters unwanted events and this makes the STATUS calculation also simple.</P> Tue, 20 Jan 2015 19:34:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195878#M56476 somesoni2 2015-01-20T19:34:48Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195879#M56477 <P>like @somesoni2 suggested, you can prefilter the data within your base search by adding <PRE>"unkown MAC" OR "No MAC " OR "mismatch MAC" OR "match for MAC"</PRE> or you can also do <PRE>STATUS!="OTHER" just before your timechart<BR /> </PRE></P> Tue, 20 Jan 2015 21:08:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195879#M56477 pradeepkumarg 2015-01-20T21:08:03Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195880#M56478 <P>thanks much, work as expected.</P> Tue, 20 Jan 2015 21:14:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results-of-my-two-searches-in-one-graph/m-p/195880#M56478 raindrop18 2015-01-20T21:14:26Z