Solved: How to combine two charts into one?

DEADBEEF · ‎10-29-2021

I have two charts that work as expected when separate, but I'm having a hard time combining them into one chart as they have different search criteria (but from the same index/source) so search2 ends up being wrong when using the criteria from search 1. I tried combining using the chart overlays but I couldn't get it to work. Any pointers would be very much appreciated!

search 1 - last 30 days

index=foo source=bar criticality=high state=open
| bin _time span=1d
| stats count AS warnings by _time

search 2 - last 30 days

index=foo source=bar
| bin _time span=1d
| stats dc(accountId) AS Accounts by _time

somesoni2 · ‎10-29-2021

Give this a try:

index=foo source=bar | eval warning=if(criticality="high" AND state="open",1,0) | bin _time span=1d | stats dc(accountId) AS Accounts sum(warning) as warnings by _time

View solution in original post

DEADBEEF · ‎10-29-2021

@somesoni2 you've helped me many times over the years. Thank you for being a part of this community. The answer worked like a charm. I'm going to keep that eval trick in my pocket!

somesoni2 · ‎10-29-2021

Give this a try:

index=foo source=bar | eval warning=if(criticality="high" AND state="open",1,0) | bin _time span=1d | stats dc(accountId) AS Accounts sum(warning) as warnings by _time

How to combine two charts into one?

chart

Introducing Splunk Enterprise Security 8.0!

Mastering Threat Hunting

Upcoming Community Maintenance: 10/28