Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine chart?

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 01:40 AM

I am trying to combine the results from 2 different search queries into a single chart.Is there a way to do this?

FIRST search:

 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7) 
| eval a=if(State="Closed",1,0)
| chart sum(a) AS closed_event by Created

 

 

SECOND search:

 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7)
| chart count by Created,source

 

 

 I want the first search as a line chart and the second search as a column chart,combining them.

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎03-29-2023 02:24 AM

Maybe something like: 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
```Expection State is either "Created OR Closed" ```
| eval state_source = State.":".source
| chart count by state_source

 

 

/Seb 

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 02:35 AM
Sorry it didn't work, thanks for your answer
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2023 02:06 AM

If the two searches have different groupby lists, this is impossible.  Just try to draw a mockup and illustrate how the output will look like.

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 06:20 PM

If I change the second search like this,is it possible to achieve?

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"

| eval Created=substr(Created, 1, 7)

| count(eval(source="a.csv")) AS A count(eval(source="b.csv")) AS B count(eval(source="c.csv")) AS C by Created

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2023 11:05 PM

If you have the same groupby, yes.  The name of the game is overlay.  In fact, I gave an example in my .conf22 talk.

To help visualize, this is the effect you wanted:

Line chart and column chartLine chart and column chart

To get this, your search would look like

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7) 
| eval a=if(State="Closed",1,0)
| chart sum(a) AS closed_event count(eval(source="a.csv")) AS A count(eval(source="b.csv")) AS B count(eval(source="c.csv")) AS C by Created

 

Then, open Visualization, select column chart as your base type.  Then, click Format -> Chart Overlay.  Select "closed_event" into Overlay.  if the numbers between closed_event and A, B, C is large, the chart will benefit from "View as Axis", which create a separately scaled Y-axis on the right side as illustrated above.

chart-overlay.png

Hope this helps.

 

Tags (1)
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎03-29-2023 10:55 PM

Hi! 

Most things are possible. Let's try to figure what we are trying to achieve. 

"| eval Created=substr(Created, 1, 7)"

Is this generating a state i.e. "created" or is this a user_id or similar with multiple combinations of values? 

"| eval a=if(State="Closed",1,0)" 

Do you want to count the number of occurrences something was created  and closed? 

maybe

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
| eval created_by=substr(Created, 1, 7)
| eval is_closed=if(State="Closed",1,0)
| eval user_source = created_by.":".source
| chart sum(is_closed), count by user_source

OR 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
| eval created_by=substr(Created, 1, 7)
| eval is_closed=if(State="Closed",1,0)
| eval user_source = created_by.":".source
| chart sum(is_closed), count by created_by, source

 

/Seb 

 

 

 

 

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 02:24 AM

Thank you very much for your answer, if there is a way to implement it in the dashboard

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...