Solved: How do you plot historical data and current log da...

arpitadu · ‎12-10-2018

Hi all,

I have loaded the last 3 years of historical data from a CSV file to Splunk — so source is "XYZ.csv". On the other hand, the recent log data is tracking every 30 mins through a REST API — thus its source is ""rest://XYZ".

Can you please advise how I can plot a timechart with both data sets together?

whrg · ‎12-10-2018

Do both log sources (CSV and REST API) have the same log format, i.e. do they have the same fields available?

If so, I suggest you run two searches to combine all events and then run the timechart command:

index=... sourcetype="XYZ.csv"
| append [search index=... sourcetype="rest://XYZ"]
| timechart ...

EDIT: I just thought of something much simpler:

index=... sourcetype="XYZ.csv" OR sourcetype="rest://XYZ"

View solution in original post

whrg · ‎12-10-2018

Do both log sources (CSV and REST API) have the same log format, i.e. do they have the same fields available?

If so, I suggest you run two searches to combine all events and then run the timechart command:

index=... sourcetype="XYZ.csv"
| append [search index=... sourcetype="rest://XYZ"]
| timechart ...

EDIT: I just thought of something much simpler:

index=... sourcetype="XYZ.csv" OR sourcetype="rest://XYZ"

whrg · ‎12-10-2018

I just edited my answer to include a much simpler search using "OR".

How do you plot historical data and current log data together in a timechart?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How do you plot historical data and current log data together in a timechart?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases