https://community.splunk.com/t5/Splunk-Search/Timechart-and-overlay-two-columns/m-p/296655#M89497 <P>Hi snipedown21,<BR /> try something like this:</P> <PRE><CODE>your_search | eval result=if(outcomeIndicator&lt;2,"Success","Failure") | timechart count by result </CODE></PRE> <P>To set the green and red colors use</P> <PRE><CODE>&lt;option name="charting.legend.labels"&gt;[Success,Failure]&lt;/option&gt; &lt;option name="charting.seriesColors"&gt;[0x008000,0xFF0000]&lt;/option&gt; </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 13 Oct 2017 06:50:06 GMT gcusello 2017-10-13T06:50:06Z https://community.splunk.com/t5/Splunk-Search/Timechart-and-overlay-two-columns/m-p/296654#M89496 <P>I have a field outcomeIndicator in my data, that holds values 0,1,5,8. <BR /> 0 and 1 mean a success of the event, and 5 and 8 mean failure.<BR /> Now, I want to use timechart count to plot these values over a month, for a span of 1 day, i.e the timechart must show the total events in a day resulting in success and failures, for the previous 30 days.<BR /> This timechart must strictly be graphical and must show the trend for both failures and successes over a month.<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3625iC894799AD356E37F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here the green colored trend-line represents the success per day for a month and the red colored trend-line represents failures per day over a month. The image is just for representation and I want to know the possibilities of achieving this.<BR /> Thank you.<BR /> Cheers.<BR /> -Snipedown21</P> Fri, 13 Oct 2017 06:32:28 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-and-overlay-two-columns/m-p/296654#M89496 snipedown21 2017-10-13T06:32:28Z https://community.splunk.com/t5/Splunk-Search/Timechart-and-overlay-two-columns/m-p/296655#M89497 <P>Hi snipedown21,<BR /> try something like this:</P> <PRE><CODE>your_search | eval result=if(outcomeIndicator&lt;2,"Success","Failure") | timechart count by result </CODE></PRE> <P>To set the green and red colors use</P> <PRE><CODE>&lt;option name="charting.legend.labels"&gt;[Success,Failure]&lt;/option&gt; &lt;option name="charting.seriesColors"&gt;[0x008000,0xFF0000]&lt;/option&gt; </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 13 Oct 2017 06:50:06 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-and-overlay-two-columns/m-p/296655#M89497 gcusello 2017-10-13T06:50:06Z https://community.splunk.com/t5/Splunk-Search/Timechart-and-overlay-two-columns/m-p/296656#M89498 <P>Hi Giuseppe.<BR /> Dude!!! That was absolutely perfect. Even the color schemes I had put up in the sample were exactly what you gave me.<BR /> Thank you a lot.</P> Fri, 13 Oct 2017 08:52:48 GMT https://community.splunk.com/t5/Splunk-Search/Timechart-and-overlay-two-columns/m-p/296656#M89498 snipedown21 2017-10-13T08:52:48Z