- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see such questions are frequently asked on this forum, but I still don't get a clear picture yet.
I have my first query index=same-index source="same-source" "first-query-static-text" | eval date=strftime(_time, "%Y-%m-%d") | chart count over date and I add it to my dashboard's panel as column chart. Everything is working fine.
My second query index=same-index source="same-source" | regex log="second-query-regex" | eval date=strftime(_time, "%Y-%m-%d") | chart count over date and I add it to my dashboard's panel as column chart. Everything is working fine.
Now I have to column charts, each from its own query.
What I want is to have 1 single column chart, each date on x axis has 2 columns (1 value from each query) and use different colours to indicate what is the value for.
Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way to do this would be to give each search result set its own name, and use that for the series. The multisearch command may help:
| multisearch
[search index=same-index source="same-source" "first-query-static-text" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="First"]
[search index=same-index source="same-source" | regex log="second-query-regex" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="Second"]
chart count over date by seriesName
I don't use the chart command often, so this might not be solid. Using timechart the last line might look like | timechart span=1d count by seriesName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a look and see if it is what you are after...
index=same-index source="same-source" "first-query-static-text"
| bucket _time span=1d
| timechart count AS first_query_count
| appendcols
[ search index=same-index source="same-source"
| regex log="second-query-regex"
| bucket _time span=1d
| timechart count AS second_query_count
| fields second_query_count]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way to do this would be to give each search result set its own name, and use that for the series. The multisearch command may help:
| multisearch
[search index=same-index source="same-source" "first-query-static-text" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="First"]
[search index=same-index source="same-source" | regex log="second-query-regex" | eval date=strftime(_time, "%Y-%m-%d") | eval seriesName="Second"]
chart count over date by seriesName
I don't use the chart command often, so this might not be solid. Using timechart the last line might look like | timechart span=1d count by seriesName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your suggestion worked perfectly! I will also explore timechart command.
I am learning splunk, lots to explore.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once I start to use timechart and simplify the query this way, I don't get anything back. Is it a wrong syntax?
| multisearch
[search index=same-index source="same-source" "first-query-static-text" | eval seriesName="First"]
[search index=same-index source="same-source" | regex log="second-query-regex" | eval seriesName="Second"]
| timechart span=1d count by seriesName
