I have a simple search only to count the events per timelapse.
I am trying to graph that in only one graph with two time spans: day and hour
I am using for separated
"...| timechart count span=1d"
"...| timechart count span=1h"
Can I join i one sentence a graph that?
Try like this
Update- Fixed typo in the timechart/appendpipe subsearch, updated fieldname
your base search | timechart span=1h count as count_h | appendpipe [ | timechart span=1d sum(count_h) as count_d] | sort 0 _time
"... | timechart span=1h count | appendpipe [ | timechart span=1d sum(count) as count_d] | sort 0 _time"
Thanks a lot man!
The timechart command is missing an alias. Try this
your base search | timechart span=1h AS count_h | appendpipe [ | timechart span=1d sum(count) as count_d] | sort 0 _time
Error in 'timechart' command: The specifier 'count_h' is invalid. It must be in form (). For example: max(size).
The search job has failed due to an error. You may be able view the job in the Job Inspector.