Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine result from 2 queries into same bar chart

hardywang
Explorer
‎01-03-2020 06:36 AM

I see such questions are frequently asked on this forum, but I still don't get a clear picture yet.

I have my first query index=same-index source="same-source" "first-query-static-text" | eval date=strftime(_time, "%Y-%m-%d") | chart count over date and I add it to my dashboard's panel as column chart. Everything is working fine.

My second query index=same-index source="same-source" | regex log="second-query-regex" | eval date=strftime(_time, "%Y-%m-%d") | chart count over date and I add it to my dashboard's panel as column chart. Everything is working fine.

Now I have to column charts, each from its own query.

What I want is to have 1 single column chart, each date on x axis has 2 columns (1 value from each query) and use different colours to indicate what is the value for.

Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jpolvino
Builder
‎01-03-2020 12:46 PM

One way to do this would be to give each search result set its own name, and use that for the series. The multisearch command may help:

| multisearch
[search index=same-index source="same-source" "first-query-static-text" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="First"]
[search index=same-index source="same-source" | regex log="second-query-regex" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="Second"]
chart count over date by seriesName

I don't use the chart command often, so this might not be solid. Using timechart the last line might look like | timechart span=1d count by seriesName

View solution in original post

Reply
Solved! Jump to solution

mydog8it
Builder
‎01-03-2020 01:00 PM

Give this a look and see if it is what you are after...

    index=same-index source="same-source" "first-query-static-text" 
    | bucket _time span=1d 
    | timechart count AS first_query_count 
    | appendcols 
        [ search index=same-index source="same-source" 
        | regex log="second-query-regex" 
        | bucket _time span=1d 
        | timechart count AS second_query_count 
        | fields second_query_count]
0 Karma
Reply
Solved! Jump to solution
Solution

jpolvino
Builder
‎01-03-2020 12:46 PM

One way to do this would be to give each search result set its own name, and use that for the series. The multisearch command may help:

| multisearch
[search index=same-index source="same-source" "first-query-static-text" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="First"]
[search index=same-index source="same-source" | regex log="second-query-regex" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="Second"]
chart count over date by seriesName

I don't use the chart command often, so this might not be solid. Using timechart the last line might look like | timechart span=1d count by seriesName

Reply
Solved! Jump to solution

hardywang
Explorer
‎01-03-2020 01:16 PM

Your suggestion worked perfectly! I will also explore timechart command.

I am learning splunk, lots to explore.

Reply
Solved! Jump to solution

hardywang
Explorer
‎01-06-2020 06:52 AM

Once I start to use timechart and simplify the query this way, I don't get anything back. Is it a wrong syntax?

| multisearch
 [search index=same-index source="same-source" "first-query-static-text" | eval seriesName="First"]
 [search index=same-index source="same-source" | regex log="second-query-regex" | eval seriesName="Second"]
 | timechart span=1d count by seriesName
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...