Splunk Search

How do I combine my two searches into one timechart?

cwilcox13
Explorer

Hello,

I have two searches I'd like to combine into one timechart. Each of these has its own set of _time values.

The first search uses a custom Python script:

search... | burndown

The second search is a standard timechart:

search... | timechart span=1d avg(x) 

Current search:

search... | burndown | appendcols [ search... | timechart span=1d avg(x) 

This gives me both lines, but the timechart line starts at the beginning timestamp of the burndown chart when it should be starting much later on. Basically, it's using the burndown timestamps for both lines, when each line should retain its own timestamp.

Diagram and images below (x data is from burndown chart, y data is from other chart)

Actual result:

time1 x1 y1
time2 x2 y2
time3 x3 y3
time4 x4 y4
time5 x5 y5

alt text

Expected result (please excuse the bad photoshop):

time1 x1

time2 x2

time3 x3

time4 x4
time5 x5
......
time97 ... y1
time98 ... y2
time99 x6 y3

alt text

I have also tried this JOIN search:

search... | eval y=""|  burndown | join y [ search... |eval y=""| timechart span=1d avg(x) ] 

This results in the correct values for the outer search continuously repeats the first value for the inner search for some reason.

Any assistance on this would be really appreciated. Thanks very much!

sundareshr
Legend

Try this

search...|eval _time=strptime(_time,"%Y-%m-%d") | burndown | append [ search... |timechart avg(x) ] | timechart span=1d first(*) as *
0 Karma

cwilcox13
Explorer

This charts the subsearch component but completely takes out the initial query data and does not chart it at all.

0 Karma

sundareshr
Legend

That sounds like your main search (burndown) is not returning any events.

0 Karma

cwilcox13
Explorer

Do you mean the data it is returning is not in event format? I know it is returning data as a solo query works fine. Do you have a way of determining the correct format?

0 Karma

somesoni2
Revered Legend

Try something like this

search... | eval y=""| burndown | append [ search... |eval y=""| timechart span=1d avg(x) ]  | sort 0 _time
0 Karma

cwilcox13
Explorer

I tried this, and the subsearch chart appends to the end of the first chart...but the _time is not sorted, so the subsearch chart stays at the end of the first chart. Also, the tooltips on the first chart now say "Invalid timestamp". I'm assuming that means the time formats for both searches are different. The first chart is bringing back a %Y-%m-%d format, so I tried using strptime:

 search...|eval _time=strptime(_time,"%Y-%m-%d") | burndown | append [ search... |timechart avg(x) ]  | sort 0 _time

But same result.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Whats the timestamp interval in the 1st part of your search? Is it 1d like in the sub search? if not, have you tried you search without using the span attribute on the sub search?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

cwilcox13
Explorer

The timestamp interval is also 1d for the first part. Taking out the span of the sub search doesn't seem to change anything.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...