Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine two charts into one?

DEADBEEF
Path Finder
‎10-29-2021 09:29 AM

I have two charts that work as expected when separate, but I'm having  a hard time combining them into one chart as they have different search criteria (but from the same index/source) so search2 ends up being wrong when using the criteria from search 1.  I tried combining using the chart overlays but I couldn't get it to work.  Any pointers would be very much appreciated!

search 1 - last 30 days

 

 

index=foo source=bar criticality=high state=open
| bin _time span=1d
| stats count AS warnings by _time

 

 

search 2 - last 30 days

 

 

index=foo source=bar
| bin _time span=1d
| stats dc(accountId) AS Accounts by _time

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-29-2021 10:52 AM

Give this a try:

index=foo source=bar | eval warning=if(criticality="high" AND state="open",1,0) | bin _time span=1d | stats dc(accountId) AS Accounts sum(warning) as warnings by _time

View solution in original post

Reply
Solved! Jump to solution

DEADBEEF
Path Finder
‎10-29-2021 12:42 PM

@somesoni2 you've helped me many times over the years.  Thank you for being a part of this community.  The answer worked like a charm.   I'm going to keep that eval trick in my pocket!

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-29-2021 10:52 AM

Give this a try:

index=foo source=bar | eval warning=if(criticality="high" AND state="open",1,0) | bin _time span=1d | stats dc(accountId) AS Accounts sum(warning) as warnings by _time
Reply
Get Updates on the Splunk Community!