Hi,
There are two graphs, each showing status of two instances. I wanted to merge both graphs into one.
Both have the same source type and index. Can anyone suggest on this?
Thanks
As well as _time, you have two different dimensions, the instance number and the various readings, so you're probably better off just putting two separate panels on the same dash. Timechart doesn't handle multiple dimensions that well, so you'd end up with the individual lines being "instance1 - cpu", "instance2 - cpu" and so on, which isn't very readable.
As well as _time, you have two different dimensions, the instance number and the various readings, so you're probably better off just putting two separate panels on the same dash. Timechart doesn't handle multiple dimensions that well, so you'd end up with the individual lines being "instance1 - cpu", "instance2 - cpu" and so on, which isn't very readable.
@swetar - appendcols
is going to fail the moment that either query returns a different number of results. If you provide the underlying searches, then we can help you merge them in a way that will work in all scenarios.
In general, you want to aim for
(index=foo1 sourcetype=bar whatever other search terms)
OR
(index=foo2 sourcetype=baz whatever other search terms)
| fields ... list all the fields you want to keep ...
| eval fields1 = create any fields you need to calculate
| timechart span=15m
count as nameOfFirstLine
sum(somefield) as nameOfSecondLine
aggregatefunction(fields) as nameOfThirdLine
aggregatefunction(fields) as nameOfFourthLine
The above should work under all cases,as long as the aggregate functions are operating on fields that will only be in the relevant events. You can control that either by building new fields that only exist on the right kind of record, or by using an eval in the aggregate function... which is an advanced method of coding that you may want to avoid for now.
@DalJeanis I m using the below SPL and its working fine ..:)
sourcetype="oracle_sourcetype1XXXXXX" | eval V_INST_NAME= case(INST_ID=="1","test1",INST_ID=="2","test2")
| where like (V_INST_NAME,"%")
|timechart span=10m first(P_COUNT) as PQ by INST_ID |rename 1 as "Parallel Count for test1" 2 as "Parallel Count for test2"
| filldown
| appendcols
[search sourcetype = oracle_sourcetype2YYYYYYY | eval V_INST_NAME= case(INST_ID=="1","test1",INST_ID=="2","test2") |where like (V_INST_NAME,"%")
| timechart span=10m first(SESSIONS_COUNT) as sessions_count by INST_ID
| rename 1 as "Session Count for test1" 2 as "Session Count for test2"
| filldown ]
@swetar, If your problem is resolved, please accept the answer to help future readers.
Please provide the searches for the graphs and we can try to help you merge them.