Dashboards & Visualizations

How to plot multiline chart with results of different length?

SkyeCoder
Explorer

Hi there,

I have a query like this:

 

message="A" | timechart count AS AA | appendcols [search message="B" | timechart count AS BB] 

 

I want to plot this on the same chart with two lines, AA and BB. But AA have a length of 20 and BB has a length of 60. I believe this is why I am not seeing any line? if so, how can I pad AA with extra 40 zeros so that it is the same length as BB?

Many thanks

Labels (3)
0 Karma

SkyeCoder
Explorer

Thanks for your answer, it did not quite work, even though I see how it should really work! I will look into it a bit more

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Let's hope that you could fix it. Please add also needed indexes, source types etc. to your main query to be sure that you (and especially other users) are using correct events. It's not sure that all user have the same default search indexes as you have!

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

could this solve your issue?

message="A" OR message="B" 
| timechart sum(eval(message=="A")) as AA sum(eval(message=="B")) as BB
| fillnull value=0

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...