Solved: Re: How to combine my timechart searches to genera...

sravankaripe · ‎01-31-2017

i have a use case to combine three line graph into one panel. and i have searches like this

1) index=abc -------------| timechart avg(val1)
2) index=abc -------------| timechart avg(val2)
3) index=abc -------------| timechart avg(val3)

Please let me know how can i combine this three searches in order to see this three line graph in one single panel.

gcusello · ‎01-31-2017

Hi sravankaripe,
you should build something like this:

index=abc | bin =1h | timechart avg(val1) AS val1
| append [ index=abc | bin =1h | timechart avg(val2) AS val2 ]
| append [ index=abc | bin =1h | timechart avg(val3) AS val3 ]
| stats values(val1) AS val1 values(val2) AS val2 values(val3) AS val3 by _time

Bye.
Giuseppe

View solution in original post

somesoni2 · ‎01-31-2017

Best option would be to merge the base searches on the those 3 searches. 2nd best option would to use append/appendcols command to merge those results. Which one is feasible can be decided if you could post your full searches.

gcusello · ‎01-31-2017

Hi sravankaripe,
you should build something like this:

index=abc | bin =1h | timechart avg(val1) AS val1
| append [ index=abc | bin =1h | timechart avg(val2) AS val2 ]
| append [ index=abc | bin =1h | timechart avg(val3) AS val3 ]
| stats values(val1) AS val1 values(val2) AS val2 values(val3) AS val3 by _time

Bye.
Giuseppe

sravankaripe · ‎01-31-2017

i got it by appendcols

hortonew · ‎01-31-2017

You can use the append/appendcols command(s). For instance:

or the following if it really is the same data you're pulling values from

index=abc | timechart avg(val1) avg(val2) avg(val3)

How to combine my timechart searches to generate a line graph in a single panel?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor