Splunk Search

How do I combine my two searches into one timechart?



I have two searches I'd like to combine into one timechart. Each of these has its own set of _time values.

The first search uses a custom Python script:

search... | burndown

The second search is a standard timechart:

search... | timechart span=1d avg(x) 

Current search:

search... | burndown | appendcols [ search... | timechart span=1d avg(x) 

This gives me both lines, but the timechart line starts at the beginning timestamp of the burndown chart when it should be starting much later on. Basically, it's using the burndown timestamps for both lines, when each line should retain its own timestamp.

Diagram and images below (x data is from burndown chart, y data is from other chart)

Actual result:

time1 x1 y1
time2 x2 y2
time3 x3 y3
time4 x4 y4
time5 x5 y5

alt text

Expected result (please excuse the bad photoshop):

time1 x1

time2 x2

time3 x3

time4 x4
time5 x5
time97 ... y1
time98 ... y2
time99 x6 y3

alt text

I have also tried this JOIN search:

search... | eval y=""|  burndown | join y [ search... |eval y=""| timechart span=1d avg(x) ] 

This results in the correct values for the outer search continuously repeats the first value for the inner search for some reason.

Any assistance on this would be really appreciated. Thanks very much!


Try this

search...|eval _time=strptime(_time,"%Y-%m-%d") | burndown | append [ search... |timechart avg(x) ] | timechart span=1d first(*) as *
0 Karma


This charts the subsearch component but completely takes out the initial query data and does not chart it at all.

0 Karma


That sounds like your main search (burndown) is not returning any events.

0 Karma


Do you mean the data it is returning is not in event format? I know it is returning data as a solo query works fine. Do you have a way of determining the correct format?

0 Karma


Try something like this

search... | eval y=""| burndown | append [ search... |eval y=""| timechart span=1d avg(x) ]  | sort 0 _time
0 Karma


I tried this, and the subsearch chart appends to the end of the first chart...but the _time is not sorted, so the subsearch chart stays at the end of the first chart. Also, the tooltips on the first chart now say "Invalid timestamp". I'm assuming that means the time formats for both searches are different. The first chart is bringing back a %Y-%m-%d format, so I tried using strptime:

 search...|eval _time=strptime(_time,"%Y-%m-%d") | burndown | append [ search... |timechart avg(x) ]  | sort 0 _time

But same result.

0 Karma


Whats the timestamp interval in the 1st part of your search? Is it 1d like in the sub search? if not, have you tried you search without using the span attribute on the sub search?

Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma


The timestamp interval is also 1d for the first part. Taking out the span of the sub search doesn't seem to change anything.

0 Karma