overlay time chart from different sources

athorat — Mon, 14 Mar 2016 21:27:08 GMT

I want to overlay two different time charts in one panel.
can this be done.

index = aap_prod (sourcetype=fs_notification OR sourcetype=hadoop:prod:fm:journey) (action=add OR eventtype=fschange_add_file) |  timechart  count

and

index=aap_prod sourcetype="HDP:PROD:OOZIE"    (":start:] with user-retry state" OR CASE("@end***]Action updated in DB!"))   | rex "TOKEN\[\] APP\[(?<JobName>[^\]]*)"  | search JobName=WF_danlaw_journey_hive | timechart count

Thanks.

Re: overlay time chart from different sources

martin_mueller — Mon, 14 Mar 2016 21:34:58 GMT

The most simple approach is this:

index = aap_prod (sourcetype=fs_notification OR sourcetype=hadoop:prod:fm:journey) (action=add OR eventtype=fschange_add_file) |  timechart  count as countB
| appendcols [search index=aap_prod sourcetype="HDP:PROD:OOZIE"    (":start:] with user-retry state" OR CASE("@end***]Action updated in DB!"))   | rex "TOKEN\[\] APP\[(?<JobName>[^\]]*)"  | search JobName=WF_danlaw_journey_hive | timechart count as countA]

If you clean up your searches a bit, for example extract the rex'd field from configuration, maybe store everything in eventtypes, etc., you could do something like this:

index=app_prod (eventtype=A OR eventtype=B) | eval class = if(eventtype="A", "A", "B") | timechart count by class

I've assumed that in case of A and B matching it should be counted for A... that's a matter of requirements though.

topic Re: overlay time chart from different sources in Splunk Search

overlay time chart from different sources

Re: overlay time chart from different sources