Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine chart?

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 01:40 AM

I am trying to combine the results from 2 different search queries into a single chart.Is there a way to do this?

FIRST search:

 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7) 
| eval a=if(State="Closed",1,0)
| chart sum(a) AS closed_event by Created

 

 

SECOND search:

 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7)
| chart count by Created,source

 

 

 I want the first search as a line chart and the second search as a column chart,combining them.

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎03-29-2023 02:24 AM

Maybe something like: 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
```Expection State is either "Created OR Closed" ```
| eval state_source = State.":".source
| chart count by state_source

 

 

/Seb 

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 02:35 AM
Sorry it didn't work, thanks for your answer
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2023 02:06 AM

If the two searches have different groupby lists, this is impossible.  Just try to draw a mockup and illustrate how the output will look like.

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 06:20 PM

If I change the second search like this,is it possible to achieve?

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"

| eval Created=substr(Created, 1, 7)

| count(eval(source="a.csv")) AS A count(eval(source="b.csv")) AS B count(eval(source="c.csv")) AS C by Created

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2023 11:05 PM

If you have the same groupby, yes.  The name of the game is overlay.  In fact, I gave an example in my .conf22 talk.

To help visualize, this is the effect you wanted:

Line chart and column chartLine chart and column chart

To get this, your search would look like

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7) 
| eval a=if(State="Closed",1,0)
| chart sum(a) AS closed_event count(eval(source="a.csv")) AS A count(eval(source="b.csv")) AS B count(eval(source="c.csv")) AS C by Created

 

Then, open Visualization, select column chart as your base type.  Then, click Format -> Chart Overlay.  Select "closed_event" into Overlay.  if the numbers between closed_event and A, B, C is large, the chart will benefit from "View as Axis", which create a separately scaled Y-axis on the right side as illustrated above.

chart-overlay.png

Hope this helps.

 

Tags (1)
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎03-29-2023 10:55 PM

Hi! 

Most things are possible. Let's try to figure what we are trying to achieve. 

"| eval Created=substr(Created, 1, 7)"

Is this generating a state i.e. "created" or is this a user_id or similar with multiple combinations of values? 

"| eval a=if(State="Closed",1,0)" 

Do you want to count the number of occurrences something was created  and closed? 

maybe

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
| eval created_by=substr(Created, 1, 7)
| eval is_closed=if(State="Closed",1,0)
| eval user_source = created_by.":".source
| chart sum(is_closed), count by user_source

OR 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
| eval created_by=substr(Created, 1, 7)
| eval is_closed=if(State="Closed",1,0)
| eval user_source = created_by.":".source
| chart sum(is_closed), count by created_by, source

 

/Seb 

 

 

 

 

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 02:24 AM

Thank you very much for your answer, if there is a way to implement it in the dashboard

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...