Solved: Re: Combinig two graphs into one

matansocher · ‎03-29-2017

I have two graphs (I put example and their search code) and I want to display them on a single graph.
Is there a way to create that kind of graph?

1

| inputcsv MPSMilstonesCSV 
| dedup Report_Milestone 
| eval Report_Milestone1 = if((substr(Report_Milestone, 1, 1)  == "S"), substr(Report_Milestone, (len(Report_Milestone)-6), len(Report_Milestone)), Report_Milestone) 
| fieldformat TaskDeadline = strftime(TaskDeadline, "%d/%m/%Y") 
| streamstats count as milestoneNumber
| eval legend = milestoneNumber+" = "+Report_Milestone1
| table TaskDeadline Report_Milestone1 milestoneNumber legend
| chart sum(milestoneNumber) over TaskDeadline by legend

2

index=clearquest ("Project Name"=ipa_4*) 
    ("Task Type"="Enhancement A*" OR "Task Type"=Defe* OR "Task Type"=Doc*) 
    "Resolution"=* ("Severity"=*) "Task ID"=* 
| dedup "Task ID" 
| reverse 
| timechart span=1w dc("Task ID") AS sum_of_tasks_per_week by Severity 
| accum "S0-Critical" 
| accum "S1-High Impact" 
| accum "S2-Medium Impact" 
| accum "S3-Low Impact" 
| accum "S4-Unknown" 
| accum "No Value"

Thank you

somesoni2 · ‎03-29-2017

Give this a try. In dashboard panel visualization edit, add the fields from lookup (or from index) as overlay fields.

index=clearquest ("Project Name"=ipa_4*) 
     ("Task Type"="Enhancement A*" OR "Task Type"=Defe* OR "Task Type"=Doc*) 
     "Resolution"=* ("Severity"=*) "Task ID"=* 
 | dedup "Task ID" 
 | reverse 
 | timechart span=1w dc("Task ID") AS sum_of_tasks_per_week by Severity 
 | accum "S0-Critical" 
 | accum "S1-High Impact" 
 | accum "S2-Medium Impact" 
 | accum "S3-Low Impact" 
 | accum "S4-Unknown" 
 | accum "No Value"
| append [| inputcsv MPSMilstonesCSV 
 | dedup Report_Milestone 
 | eval Report_Milestone1 = if((substr(Report_Milestone, 1, 1)  == "S"), substr(Report_Milestone, (len(Report_Milestone)-6), len(Report_Milestone)), Report_Milestone) 
 | eval _time= TaskDeadline
 | streamstats count as milestoneNumber
 | eval legend = milestoneNumber+" = "+Report_Milestone1
 | chart sum(milestoneNumber) over _timeby legend]
| timechart values(*) as *

View solution in original post

somesoni2 · ‎03-29-2017

Give this a try. In dashboard panel visualization edit, add the fields from lookup (or from index) as overlay fields.

index=clearquest ("Project Name"=ipa_4*) 
     ("Task Type"="Enhancement A*" OR "Task Type"=Defe* OR "Task Type"=Doc*) 
     "Resolution"=* ("Severity"=*) "Task ID"=* 
 | dedup "Task ID" 
 | reverse 
 | timechart span=1w dc("Task ID") AS sum_of_tasks_per_week by Severity 
 | accum "S0-Critical" 
 | accum "S1-High Impact" 
 | accum "S2-Medium Impact" 
 | accum "S3-Low Impact" 
 | accum "S4-Unknown" 
 | accum "No Value"
| append [| inputcsv MPSMilstonesCSV 
 | dedup Report_Milestone 
 | eval Report_Milestone1 = if((substr(Report_Milestone, 1, 1)  == "S"), substr(Report_Milestone, (len(Report_Milestone)-6), len(Report_Milestone)), Report_Milestone) 
 | eval _time= TaskDeadline
 | streamstats count as milestoneNumber
 | eval legend = milestoneNumber+" = "+Report_Milestone1
 | chart sum(milestoneNumber) over _timeby legend]
| timechart values(*) as *

matansocher · ‎04-04-2017

the answer did not give me the exact result I wanted, but it gave me a direction of how I need to cimbine the 2 queries into 1.

thank you

woodcock · ‎03-29-2017

Your desire is to overlay the graphs semi-transparently as-is to merge the images, right?

matansocher · ‎03-29-2017

Yes, exactly.

Combinig two graphs into one

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...