Splunk Search
Highlighted

Chart showing additonal info

Communicator

Hi,

I am trying to create a chart on the basis of difference of two fields same time on the right side it should show the orginal value of that two fields is it posible.

eg:
timeXX timeYY
10 20

Tags (1)
0 Karma
Highlighted

Re: Chart showing additonal info

Ultra Champion

I'm sorry. I think you'll have to rephrase that a little bit. Perhaps also include a few sample events and the desired output.

Highlighted

Re: Chart showing additonal info

Communicator

Hi kristian,

What iam looking for is a chart which showing difference of two fields.Eg A-B and same time i want to show the value of A and B in the same chart as legend.I have tried certain queryies but not getting a right result in chart iam expecting.
eg :A B Defference of A & B
20 30 10
Chart on difference only but user want to see the value of both A and B too.

0 Karma
Highlighted

Re: Chart showing additonal info

Ultra Champion

Since you haven't provided any sample events, I'll assume that your event looks like this, in a sourcetype called "X".

2012-09-27 11:09:22 userid=bob A=20 B=30
2012-09-27 11:12:31 userid=eve A=24 B=10

This search:

sourcetype=X | eval AB_diff = A - B | table A, B, AB_diff

would give you the result;

A    B     AB_diff
20   30    -10
24   10    14

If this is not what you want to achieve, please provide better sample data and more detailed requirements.

Hope this helps,

Kristian