Splunk Search

How do you plot historical data and current log data together in a timechart?

arpitadu
Explorer

Hi all,

I have loaded the last 3 years of historical data from a CSV file to Splunk — so source is "XYZ.csv". On the other hand, the recent log data is tracking every 30 mins through a REST API — thus its source is ""rest://XYZ".

Can you please advise how I can plot a timechart with both data sets together?

0 Karma
1 Solution

whrg
Motivator

Do both log sources (CSV and REST API) have the same log format, i.e. do they have the same fields available?

If so, I suggest you run two searches to combine all events and then run the timechart command:

index=... sourcetype="XYZ.csv"
| append [search index=... sourcetype="rest://XYZ"]
| timechart ...

EDIT: I just thought of something much simpler:

index=... sourcetype="XYZ.csv" OR sourcetype="rest://XYZ"

View solution in original post

whrg
Motivator

Do both log sources (CSV and REST API) have the same log format, i.e. do they have the same fields available?

If so, I suggest you run two searches to combine all events and then run the timechart command:

index=... sourcetype="XYZ.csv"
| append [search index=... sourcetype="rest://XYZ"]
| timechart ...

EDIT: I just thought of something much simpler:

index=... sourcetype="XYZ.csv" OR sourcetype="rest://XYZ"

whrg
Motivator

I just edited my answer to include a much simpler search using "OR".

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...