https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334749#M99479 <P>Not sure about this. It is not giving expected results. But, the one answer posted below seems to work fine</P> Fri, 03 Mar 2017 15:34:28 GMT ataunk 2017-03-03T15:34:28Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334745#M99475 <P>I need a time chart from multiple source --</P> <P>First source search : <CODE>host=abcdefgh source="Test.log" index=app_ops_prod SessionID="*"</CODE><BR /> Second Source search : <CODE>host=abcdefgh source="Test.log" index=app_ops_prod "error.timeout"</CODE><BR /> Third Source search : <CODE>host=abcdefgh source="Test.log" index=app_ops_prod "error.badurl"</CODE></P> <P>My SessionID is a field, but other two strings might be present in the raw log. In short, for one request a log line is generated which will always have a SessionID, but few log lines may contain error. I want a timechart that will show number of request (i.e. count of SessionID) and the errors in all the request.</P> Fri, 03 Mar 2017 02:58:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334745#M99475 ataunk 2017-03-03T02:58:58Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334746#M99476 <P>Plz try that.</P> <P>index=app_ops_prod host=abcdefgh source="Test.log" SessionID="*" | timechart span=1m count(SessionID) | appendcols [search index=app_ops_prod host=abcdefgh source="Test.log" ("error.badurl" OR "error.timeout") | timechart span=1m count]</P> <P>Also on the chart, you can add the chart overlay to better illustrate your data.</P> Tue, 29 Sep 2020 13:07:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334746#M99476 arcdevil 2020-09-29T13:07:44Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334747#M99477 <P>Try like this</P> <PRE><CODE>host=abcdefgh source="Test.log" index=app_ops_prod (SessionID="*" OR "error.timeout" OR "error.badurl" ) | eval TimeoutError=if(searchmatch("error.timeout"),1,0) | eval BadUrlError=if(searchmatch("error.badurl"),1,0) | timechart count(SessionID) as NoOfRequests sum(TimeoutError) as TimeoutError sum(BadUrlError) as BadUrlError </CODE></PRE> Fri, 03 Mar 2017 15:18:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334747#M99477 somesoni2 2017-03-03T15:18:19Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334748#M99478 <P>This is working as expected. </P> Fri, 03 Mar 2017 15:33:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334748#M99478 ataunk 2017-03-03T15:33:30Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334749#M99479 <P>Not sure about this. It is not giving expected results. But, the one answer posted below seems to work fine</P> Fri, 03 Mar 2017 15:34:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334749#M99479 ataunk 2017-03-03T15:34:28Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334750#M99480 <P>No problem <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I'm glad to hear that your problem has been solved.</P> Fri, 03 Mar 2017 15:55:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-timechart-from-multiple-data-sources/m-p/334750#M99480 arcdevil 2017-03-03T15:55:04Z