Dashboards & Visualizations

Timechart Count by Field Name... By Field Name (Combining Timecharts)

PaintItParker
Explorer

I have two timecharts:

 

index=my_index sourcetype=my_sourcetype
| where area="area1"
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message

 

and

 

index=my_index sourcetype=my_sourcetype
| where area="area2"
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message

 

The only thing that makes them different is that one is looking at logs where the value of area is area1, and the other is looking at area2.

Rather than have two separate timecharts, I would like to have one timechart with a line for area1 and a line for area2, looking at the count of Issues for each over the given period of time. I do not need a span because the dashboard implements that for me with the time range selection feature.

How could I go about this? I tried something like "timechart count by message by area"  but that does not work. Thank you.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried something like this:

index=my_index sourcetype=my_sourcetype (area="area1" OR area="area2")
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message area

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried something like this:

index=my_index sourcetype=my_sourcetype (area="area1" OR area="area2")
| regex message="(?:(^Problem.*)|((?i).*Issue.*)|((?i).*Error.*))"
| timechart count by message area
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...