I have two searches I'd like to combine into one timechart. Each of these has its own set of _time values.
The first search uses a custom Python script:
search... | burndown
The second search is a standard timechart:
search... | timechart span=1d avg(x)
search... | burndown | appendcols [ search... | timechart span=1d avg(x)
This gives me both lines, but the timechart line starts at the beginning timestamp of the burndown chart when it should be starting much later on. Basically, it's using the burndown timestamps for both lines, when each line should retain its own timestamp.
Diagram and images below (x data is from burndown chart, y data is from other chart)
time1 x1 y1
time2 x2 y2
time3 x3 y3
time4 x4 y4
time5 x5 y5
Expected result (please excuse the bad photoshop):
time97 ... y1
time98 ... y2
time99 x6 y3
I have also tried this JOIN search:
search... | eval y=""| burndown | join y [ search... |eval y=""| timechart span=1d avg(x) ]
This results in the correct values for the outer search continuously repeats the first value for the inner search for some reason.
Any assistance on this would be really appreciated. Thanks very much!
I tried this, and the subsearch chart appends to the end of the first chart...but the _time is not sorted, so the subsearch chart stays at the end of the first chart. Also, the tooltips on the first chart now say "Invalid timestamp". I'm assuming that means the time formats for both searches are different. The first chart is bringing back a
%Y-%m-%d format, so I tried using strptime:
search...|eval _time=strptime(_time,"%Y-%m-%d") | burndown | append [ search... |timechart avg(x) ] | sort 0 _time
But same result.
Whats the timestamp interval in the 1st part of your search? Is it 1d like in the sub search? if not, have you tried you search without using the span attribute on the sub search?