Can I with one search, graph two different time ch...

omarlira · ‎09-30-2016

I have a simple search only to count the events per timelapse.

I am trying to graph that in only one graph with two time spans: day and hour

I am using for separated

"...| timechart count span=1d"
"...| timechart count span=1h"

Can I join i one sentence a graph that?

somesoni2 · ‎09-30-2016

Try like this
Update- Fixed typo in the timechart/appendpipe subsearch, updated fieldname

your base search | timechart span=1h count as count_h | appendpipe [ | timechart span=1d sum(count_h) as count_d] | sort 0 _time

omarlira · ‎09-30-2016

not yet...

omarlira · ‎09-30-2016

Look that:

"... | timechart span=1h count | appendpipe [ | timechart span=1d sum(count) as count_d] | sort 0 _time"

works fine.

Thanks a lot man!

sundareshr · ‎09-30-2016

The timechart command is missing an alias. Try this

 your base search | timechart span=1h AS count_h | appendpipe [ | timechart span=1d sum(count) as count_d] | sort 0 _time

omarlira · ‎09-30-2016

Nope

Error in 'timechart' command: The specifier 'count_h' is invalid. It must be in form (). For example: max(size).
The search job has failed due to an error. You may be able view the job in the Job Inspector.

😕

Can I with one search, graph two different time chart spans?

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World

Are you a member of the Splunk Community?

Can I with one search, graph two different time chart spans?

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World