Solved: How can I fix my double timechart graphs?

netanelm7 · ‎10-13-2017

I want to see 2 timecharts that each 1 contains different counter

my search is:
source="perfmon:test" counter="Private Bytes" NOT _total instance=chrome | eval MB_Used=Value/1024/1024 | timechart sum(MB_Used) by instance useother=f | append [search counter="Working Set Peak" NOT _total instance=chrome | eval MB_Used=Value/1024/1024 | timechart span=1m avg(MB_Used) useother=f by instance]

With the append command I managed to add the timecharts together but I see them with the same name and the graphs look awkward (the 2 timecharts have the same name so it shows them awkwardly).
Do you have any idea?

jfraiberg · ‎10-13-2017

add this to the end of your 2nd search - "| rename instance AS instance2"

View solution in original post

DalJeanis · ‎10-13-2017

@netanelm7 - How do you want this to look? What is the relationship of the two things you are calculating?

netanelm7 · ‎10-13-2017

they are both counters of the same instance, i want to see 2 counters for each instance if i do "timechart by instance"

netanelm7 · ‎10-13-2017

Thank you!!
If im doing a timechart with "by instance", i will have to rename every instance so it wont have the same name?

jfraiberg · ‎10-13-2017

no, you are only renaming the name of the field, not the values.

netanelm7 · ‎10-13-2017

Yeah but i see each instance in the first line of each column, which means every instance is a field right?

jfraiberg · ‎10-13-2017

I am sorry, I totally misunderstood. Try this:

source="perfmon:test" counter="Private Bytes" NOT _total instance=chrome
| eval MB_Used=Value/1024/1024
| timechart sum(MB_Used) AS mb_private_bytes by instance useother=f

| appendcols [search counter="Working Set Peak" NOT _total instance=chrome
| eval MB_Used=Value/1024/1024
| timechart span=1m avg(MB_Used) AS mb_working_set_peak useother=f by instance]

netanelm7 · ‎10-14-2017

Not working, still showing me 1 column named "chrome"

jfraiberg · ‎10-14-2017

hmm, that should give you 2 columns, one called mb_private_bytes and one called mb_working_set_peak with chrome as the instance. Is that not what you are seeing?

What happens if you change the chart format to "multi series mode"?

jfraiberg · ‎10-14-2017

or you can keep it as column, but go to "overlay" and chose one of the values..

jfraiberg · ‎10-13-2017

add this to the end of your 2nd search - "| rename instance AS instance2"

How can I fix my double timechart graphs?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation