Splunk Search

How can i make my chart overlay use the same axis?

tarini_r
New Member

I have my search query being as such where I am displaying the tickets, flowing in and out. Now, i want to put a line indicating the backlog on my chart.

index="tickets" $year$  |  dedup number 
| convert timeformat="%Y-%m-%d %H:%M:%S" num(allFields.createdDate) As days
| eval week=strftime(days,"%V") 
| eval year = strftime(days, "%Y") 
| where year= c_year
| stats count by week

| appendcols [search index="tickets" $year$ | dedup number | search state != "Resolved" AND state != "Closed" AND state != "Resolution Confirmed" AND  assignment_group != "Out of Scope" | convert timeformat="%Y-%m-%d %H:%M:%S" num(createdDate) As date
| eval weeks=strftime(date,"%V") 
| eval year = strftime(date, "%Y") 
| where year= c_year | chart count by weeks 
 ]


| appendcols [search index="tickets" $year$  | dedup number
| search state = "Resolved" OR state = "Resolution Confirmed" OR  state = "Closed"
| convert timeformat="%Y-%m-%d %H:%M:%S" num(resolvedOn) As days
| eval out = strftime(days, "%V")
| eval year = strftime(days, "%Y") 
| where year= c_year
| chart count by out]

Basically, how can i make the field 'createdDate' used in first query and first subquery to be common on my chart? The way i did it, the subquery has its own axis, which i do not want. Please refer to the picture:alt text
What I am getting is this : (where weeks is my backlog)
alt text
Any help will be much appreciated!

Labels (4)
0 Karma
Get Updates on the Splunk Community!

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...