I uploaded 2 csv file in splunk enterprise and when I search indivisually they show a graph I want both graph in one graph and they should be graphed with different color. My two searches are as follows:
source="D:\ASTSTCD01\Application.csv" host="USER" index="widows" sourcetype="csv"
source="D:\ASTSTCD01\Security.csv" host="USER" index="widows" sourcetype="csv"
Couldn't you just combine both searches into one? How are you trying to display it?
(source="D:\\ASTSTCD01\\Application.csv" host="USER" index="widows" sourcetype="csv") OR (source="D:\\ASTSTCD01\\Security.csv" host="USER" index="widows" sourcetype="csv") | stats count by source
Does this working for what you're attempting to do?
What is the query for current graph?
You probably just need to split the transforming command by source i.e.
<YourBaseSearch>
| stats count by source
Or
<YourBaseSearch>
| timechart count by source
what I have done is
searched a particular index in search bar and then used visualization tab to create a graph and saved it as a dashboard again searched for another index and used visualization tab to create a graph and saved saved it as panel of that dashboard. here the graph are created in panel .
But I want to have that 2 graph show on one graph so that I can compare them.
but anshuman can you give us full query for two graphs ? you are just giving main search need full query or else give us dashboard XML
hii @mayurr98
I am searching index for 2 time range
I am searching index like this
index="adtstdc01_ap"
with time range 24 hours
and again searching same index with time range "all time"
and saving both as dashboard.
so I am not understanding what you here mean by full query.
here is my dashboard of that.
Dash
| pivot dash1 RootObject count(RootObject) AS "Count
of 1516272246.164" SPLITROW _time AS
_time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER
1
-24h@h
now
1ellipsisNone 0 visible visible visible none linear none linear none 0 inherit line 50 10 area gaps none 0.01 default shiny none 0 0 ellipsisMiddle standard none 2 0 1 medium | pivot dash2 RootObject count(RootObject) AS "Count
of 1516272311.182" SPLITROW _time AS
_time PERIOD auto SORT 0 _time ROWSUMMARY 0 COLSUMMARY 0 SHOWOTHER
1
0
1ellipsisNone 0 visible visible visible none linear none linear none 0 inherit line 50 10 area gaps none 0.01 default shiny none 0 0 ellipsisMiddle standard none 2 0 1 medium
Your XML is not uploaded appropriately. by the way, I am asking full query because I am confused about your requirement.Are you just comparing raw logs? or you have a visualization made by commands like stats time-chart or chart
?
So in order to merge two queries I need to know what sort of visualization you want.Or you are just comparing the total count of query1 and query2?
can you give seperate individual searches for both the graphs? you have given only main search.
Suppose I searched
index="widows" "Microsoft-Windows-Security-Auditing"
index="widows" "Special Logon"
this in my search bar and I want to compare these two so I want to be in 1 graph.can we do thi
can we do this?