Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine chart?

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 01:40 AM

I am trying to combine the results from 2 different search queries into a single chart.Is there a way to do this?

FIRST search:

 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7) 
| eval a=if(State="Closed",1,0)
| chart sum(a) AS closed_event by Created

 

 

SECOND search:

 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7)
| chart count by Created,source

 

 

 I want the first search as a line chart and the second search as a column chart,combining them.

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎03-29-2023 02:24 AM

Maybe something like: 

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
```Expection State is either "Created OR Closed" ```
| eval state_source = State.":".source
| chart count by state_source

 

 

/Seb 

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 02:35 AM
Sorry it didn't work, thanks for your answer
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2023 02:06 AM

If the two searches have different groupby lists, this is impossible.  Just try to draw a mockup and illustrate how the output will look like.

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 06:20 PM

If I change the second search like this,is it possible to achieve?

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"

| eval Created=substr(Created, 1, 7)

| count(eval(source="a.csv")) AS A count(eval(source="b.csv")) AS B count(eval(source="c.csv")) AS C by Created

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎03-29-2023 11:05 PM

If you have the same groupby, yes.  The name of the game is overlay.  In fact, I gave an example in my .conf22 talk.

To help visualize, this is the effect you wanted:

Line chart and column chartLine chart and column chart

To get this, your search would look like

 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x" 
| eval Created=substr(Created, 1, 7) 
| eval a=if(State="Closed",1,0)
| chart sum(a) AS closed_event count(eval(source="a.csv")) AS A count(eval(source="b.csv")) AS B count(eval(source="c.csv")) AS C by Created

 

Then, open Visualization, select column chart as your base type.  Then, click Format -> Chart Overlay.  Select "closed_event" into Overlay.  if the numbers between closed_event and A, B, C is large, the chart will benefit from "View as Axis", which create a separately scaled Y-axis on the right side as illustrated above.

chart-overlay.png

Hope this helps.

 

Tags (1)
0 Karma
Reply

srauhala_splunk
Splunk Employee
Splunk Employee
‎03-29-2023 10:55 PM

Hi! 

Most things are possible. Let's try to figure what we are trying to achieve. 

"| eval Created=substr(Created, 1, 7)"

Is this generating a state i.e. "created" or is this a user_id or similar with multiple combinations of values? 

"| eval a=if(State="Closed",1,0)" 

Do you want to count the number of occurrences something was created  and closed? 

maybe

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
| eval created_by=substr(Created, 1, 7)
| eval is_closed=if(State="Closed",1,0)
| eval user_source = created_by.":".source
| chart sum(is_closed), count by user_source

OR 

source="a.csv" OR source="b.csv" OR source="c.csv" Company="x"
| eval created_by=substr(Created, 1, 7)
| eval is_closed=if(State="Closed",1,0)
| eval user_source = created_by.":".source
| chart sum(is_closed), count by created_by, source

 

/Seb 

 

 

 

 

0 Karma
Reply

Kaiyue
Loves-to-Learn Lots
‎03-29-2023 02:24 AM

Thank you very much for your answer, if there is a way to implement it in the dashboard

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...