Combine two chart

gjhaaland · ‎10-27-2023

Hi,

I have create two different timechart like:

Timechart1(cable connection on/off):

index=cisco_asa dest_interface=outside | timechart span=10m dc(count) by count

Timechart2(login user listed):

host=10.1.1.1 src_sg_info=* | timechart span=10m dc(src_sg_info) by src_sg_info

Individually the display is perfect, but it would be even better if we could combined into one graph with common timestamps.

I search through splunk documents, also tried different setup without success. Hope someone could help me with it 🙂

gjhaaland · ‎10-27-2023

Thanks 🙂 yes the search looks strange, but it's the only way out of my problems. If dest_interface=outside the cable to outside interface is connected. Not sure why, but it's perfect. I have also tried to use appendcols to combine both graphs without success. I think I must do more investigation to find out why.

Geir

PickleRick · ‎10-28-2023

appendcols just puts two sets side by side without any kind of "matching" between those sets so first row of set B will be appended to first row of set A regardless of what order of events each of those sets had.

I think you should rather simply append (not appendcols) those searches together and then do some form of stats by _time (or timechart again) to match data points from the same timestamp.

ITWhisperer · ‎10-27-2023

You can try appending the second search to the first search

Having said that using dc by the same field is only every going to give counts of 1 so your searches seem a little strange.

Combine two chart

timechart

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout