Splunk Search
Highlighted

Combine 2 separate searches and display on a single Time Chart

Path Finder

I am trying to combine the results from 2 different search queries into a single time chart. I am using "Shared Time Picker" if that is relevant. Is there a way to do this?

My FIRST search query is displaying as expected. Search string as follows:
Query:

service=Service1*  |fields TIME_TAKEN| eventstats avg(TIME_TAKEN) as mean_time  | timechart span=5m avg(TIME_TAKEN) as service_time ,first(mean_time) as mean_time

meantime and servicetime follows the "Shared Time Picker".
I want to add another search query to it which is essentially the same calculations as mean_time but with a fixed time line (7 days).

Thus my SECOND search is as follows:

service=Service1* earliest=-7d@d latest=now | fields TIME_TAKEN | eventstats avg(TIME_TAKEN) as mean_time_over_7_days | timechart  last(mean_time_over_7_days) as mean_time_over_7_days

I am trying to append both these searches as follows but it doesn't work. Is it possible to do this? Thanks.

ATTEMPTED search to combine both which doesn't work.:

service=Service1* |fields TIME_TAKEN| eventstats avg(TIME_TAKEN) as mean_time  | timechart span=5m avg(TIME_TAKEN) as service_time ,first(mean_time) as mean_time | append service=Service1* earliest=-7d@d latest=now | fields TIME_TAKEN | eventstats avg(TIME_TAKEN) as mean_time_over_7_days | timechart  last(mean_time_over_7_days) as mean_time_over_7_days

This is an image showing what I am trying to achieve:
Red line = meantimeover7days
Yellow line = meantime (shared time picker)
Blue line = service
time (shared time picker)
Chart

0 Karma
Highlighted

Re: Combine 2 separate searches and display on a single Time Chart

Motivator

Try this:

service=Service1* 
| fields TIME_TAKEN 
| eventstats avg(TIME_TAKEN) as mean_time 
| timechart span=5m avg(TIME_TAKEN) as service_time ,first(mean_time) as mean_time 
| appendcols 
    [ service=Service1* earliest=-7d@d latest=now 
    | fields TIME_TAKEN 
    | eventstats avg(TIME_TAKEN) as mean_time_over_7_days 
    | timechart last(mean_time_over_7_days) as mean_time_over_7_days]

View solution in original post