Hello,
I have two searches I'd like to combine into one timechart. Each of these has its own set of _time values.
The first search uses a custom Python script:
search... | burndown
The second search is a standard timechart:
search... | timechart span=1d avg(x)
Current search:
search... | burndown | appendcols [ search... | timechart span=1d avg(x)
This gives me both lines, but the timechart line starts at the beginning timestamp of the burndown chart when it should be starting much later on. Basically, it's using the burndown timestamps for both lines, when each line should retain its own timestamp.
Diagram and images below (x data is from burndown chart, y data is from other chart)
Actual result:
time1 x1 y1
time2 x2 y2
time3 x3 y3
time4 x4 y4
time5 x5 y5
Expected result (please excuse the bad photoshop):
time1 x1
time2 x2
time3 x3
time4 x4
time5 x5
......
time97 ... y1
time98 ... y2
time99 x6 y3
I have also tried this JOIN search:
search... | eval y=""| burndown | join y [ search... |eval y=""| timechart span=1d avg(x) ]
This results in the correct values for the outer search continuously repeats the first value for the inner search for some reason.
Any assistance on this would be really appreciated. Thanks very much!
Try this
search...|eval _time=strptime(_time,"%Y-%m-%d") | burndown | append [ search... |timechart avg(x) ] | timechart span=1d first(*) as *
This charts the subsearch component but completely takes out the initial query data and does not chart it at all.
That sounds like your main search (burndown) is not returning any events.
Do you mean the data it is returning is not in event format? I know it is returning data as a solo query works fine. Do you have a way of determining the correct format?
Try something like this
search... | eval y=""| burndown | append [ search... |eval y=""| timechart span=1d avg(x) ] | sort 0 _time
I tried this, and the subsearch chart appends to the end of the first chart...but the _time is not sorted, so the subsearch chart stays at the end of the first chart. Also, the tooltips on the first chart now say "Invalid timestamp". I'm assuming that means the time formats for both searches are different. The first chart is bringing back a %Y-%m-%d
format, so I tried using strptime:
search...|eval _time=strptime(_time,"%Y-%m-%d") | burndown | append [ search... |timechart avg(x) ] | sort 0 _time
But same result.
Whats the timestamp interval in the 1st part of your search? Is it 1d like in the sub search? if not, have you tried you search without using the span attribute on the sub search?
The timestamp interval is also 1d for the first part. Taking out the span of the sub search doesn't seem to change anything.