https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227040#M67004 <P>Try like this<BR /> <STRONG>Update- Fixed typo in the timechart/appendpipe subsearch, updated fieldname</STRONG></P> <PRE><CODE>your base search | timechart span=1h count as count_h | appendpipe [ | timechart span=1d sum(count_h) as count_d] | sort 0 _time </CODE></PRE> Fri, 30 Sep 2016 21:58:25 GMT somesoni2 2016-09-30T21:58:25Z https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227039#M67003 <P>I have a simple search <STRONG>only to count the events per timelapse</STRONG>.</P> <P>I am trying to graph that in only one graph with two time spans: day and hour</P> <P>I am using for separated </P> <P><EM>"...| timechart count span=1d"<BR /> "...| timechart count span=1h"</EM></P> <P>Can I join i one sentence a graph that?</P> Fri, 30 Sep 2016 21:51:33 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227039#M67003 omarlira 2016-09-30T21:51:33Z https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227040#M67004 <P>Try like this<BR /> <STRONG>Update- Fixed typo in the timechart/appendpipe subsearch, updated fieldname</STRONG></P> <PRE><CODE>your base search | timechart span=1h count as count_h | appendpipe [ | timechart span=1d sum(count_h) as count_d] | sort 0 _time </CODE></PRE> Fri, 30 Sep 2016 21:58:25 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227040#M67004 somesoni2 2016-09-30T21:58:25Z https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227041#M67005 <P>Nope</P> <P><EM>Error in 'timechart' command: The specifier 'count_h' is invalid. It must be in form (). For example: max(size).<BR /> The search job has failed due to an error. You may be able view the job in the Job Inspector.</EM></P> <P><span class="lia-unicode-emoji" title=":confused_face:">😕</span></P> Fri, 30 Sep 2016 22:05:35 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227041#M67005 omarlira 2016-09-30T22:05:35Z https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227042#M67006 <P>not yet...</P> Fri, 30 Sep 2016 22:05:53 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227042#M67006 omarlira 2016-09-30T22:05:53Z https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227043#M67007 <P>Look that:</P> <P><EM>"... | timechart span=1h count | appendpipe [ | timechart span=1d sum(count) as count_d] | sort 0 _time"</EM></P> <P>works fine.</P> <P>Thanks a lot man!</P> Fri, 30 Sep 2016 22:11:32 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227043#M67007 omarlira 2016-09-30T22:11:32Z https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227044#M67008 <P>The <CODE>timechart</CODE> command is missing an alias. Try this</P> <PRE><CODE> your base search | timechart span=1h AS count_h | appendpipe [ | timechart span=1d sum(count) as count_d] | sort 0 _time </CODE></PRE> Fri, 30 Sep 2016 22:19:09 GMT https://community.splunk.com/t5/Splunk-Search/Can-I-with-one-search-graph-two-different-time-chart-spans/m-p/227044#M67008 sundareshr 2016-09-30T22:19:09Z