Dashboards & Visualizations

How to merge two timecharts in a single dashboard panel?

xbbj3nj
Path Finder

Hi All,

I want to merge two timecharts in a single panel, I have a file transmission tracker query A - which tracks when the file transmisiion occurs.

Query B - tracks the triggered alerts ( negative condition - when the file doesnt come)

A:

index="fxr" fxr_ftpup_filename="DMM02YBRYBRPACEAVAILCOLLAT_*04*" OR fxr_ftpup_filename="DMM01YBRYBRCOLLATNAV_*05*" OR fxr_ftpup_filename="DMM10YBRDMMPaceRepoedgeInstruments_*_02*" OR fxr_ftpup_filename="DMM04YBRYBRPACEREPOTRD_*04*" OR fxr_ftpup_filename="DMM04YBRYBRPACEOTCTRD_*04*"  | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) as FileTransmissionTime | rename fxr_ftpup_filename as FileName,fxr_status as Status| replace "DMM01YBRYBRCOLLATNAV_*05*" with "EXPALGONAV-BNYM TO DMM NAV","DMM02YBRYBRPACEAVAILCOLLAT_*04*" with "EXPALGOPOF-BNYM TO DMM Free Inventory","DMM10YBRDMMPaceRepoedgeInstruments_*_02*" with "EVNT- PRICE DEMAND 01:30AM","DMM04YBRYBRPACEREPOTRD_*04*" with "EXPALGOPOR-BNYM TO DMM Repo Transaction","DMM04YBRYBRPACEOTCTRD_*04*" with "EXPALGOOTC-BNYM TO DMM OTC Transaction" in FileName | timechart span=1m count by FileName

B:

index=_audit action=alert_fired ss_app=search |convert ctime(trigger_time) as Time | timechart count(ss_name) by ss_name

How to merge these both and show it in a single timechart.

vasanthmss
Motivator

Try this,

index="fxr" fxr_ftpup_filename="DMM02YBRYBRPACEAVAILCOLLAT_04" OR fxr_ftpup_filename="DMM01YBRYBRCOLLATNAV_05" OR fxr_ftpup_filename="DMM10YBRDMMPaceRepoedgeInstruments__02" OR fxr_ftpup_filename="DMM04YBRYBRPACEREPOTRD_04" OR fxr_ftpup_filename="DMM04YBRYBRPACEOTCTRD_04" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time) as FileTransmissionTime | rename fxr_ftpup_filename as FileName,fxr_status as Status| replace "DMM01YBRYBRCOLLATNAV05" with "EXPALGONAV-BNYM TO DMM NAV","DMM02YBRYBRPACEAVAILCOLLAT_04" with "EXPALGOPOF-BNYM TO DMM Free Inventory","DMM10YBRDMMPaceRepoedgeInstruments__02" with "EVNT- PRICE DEMAND 01:30AM","DMM04YBRYBRPACEREPOTRD_04" with "EXPALGOPOR-BNYM TO DMM Repo Transaction","DMM04YBRYBRPACEOTCTRD_04" with "EXPALGOOTC-BNYM TO DMM OTC Transaction" in FileName | timechart span=1m count by FileName
| appendcols
[ search index=_audit action=alert_fired ss_app=search |convert ctime(trigger_time) as Time | timechart span=1m count(ss_name) by ss_name]
V

sk314
Builder

Have you looked at this approach? Might be what you are looking for.
http://answers.splunk.com/answers/7556/timechart-how-do-i-combine-these-two-charts-into-one.html

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...