Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining two graphs into ONE

macadminrohit
Contributor
‎04-19-2018 04:51 PM

Hi Have the below Searches , most of which are common, only different is i am doing a regex in one of them to compare the string with a number. I am not sure if i can use a streamstats to combine two searches together to avoid running the search twice. Basically i want to combine the two graphs into one i.e one search will give a line graph and another will give a bar graph, like an overlay. With Same x-axis i.e count .

index=servers sourcetype=xs_json Name="Server App" Version=*
| bucket _time span=1h
| timechart count AS HTTP_COUNT by Url useother=f usenull=f limit=50
| fillnull value=0

index=servers sourcetype=xs_json Name="Server App" Version=*
| bucket _time span=1h
| rex field=_raw "Response Code\",\"value\":\"(?<RespCode>\w+)\"}," | where RespCode!=200
| timechart count AS ERROR_COUNT by Url useother=f usenull=f limit=50
| fillnull value=0

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-19-2018 05:03 PM

hello there,

you can use conditional eval in timechart as well

 index=servers sourcetype=xs_json Name="Server App" Version=* 
| bucket _time span=1h 
| rex field=_raw "Response Code\",\"value\":\"(?<RespCode>\w+)\"}," 
| timechart count(eval(RespCode>200) AS ERROR_COUNT count as HTTP_COUNT by Url useother=f usenull=f limit=50 
| fillnull value=0

hope it helps

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎04-19-2018 05:03 PM

hello there,

you can use conditional eval in timechart as well

 index=servers sourcetype=xs_json Name="Server App" Version=* 
| bucket _time span=1h 
| rex field=_raw "Response Code\",\"value\":\"(?<RespCode>\w+)\"}," 
| timechart count(eval(RespCode>200) AS ERROR_COUNT count as HTTP_COUNT by Url useother=f usenull=f limit=50 
| fillnull value=0

hope it helps

0 Karma
Reply
Solved! Jump to solution

macadminrohit
Contributor
‎04-19-2018 05:34 PM

Basically i dont want to combine the queries to get a single query, i want two graphs into an overlay. First query results into a bar graph and the second results into a line chart. I want those two graphs to overlay.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-19-2018 05:42 PM

use the chart overlay function in the viz
have it as a bar chart and then pick the field you want for chart overlay

Reply
Solved! Jump to solution

macadminrohit
Contributor
‎04-19-2018 06:49 PM

Thank you so Much Adonio. It works like a champ.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...