Solved: How to merge 3 timecharts into one?

larsxschneider · ‎07-21-2014

Hi,

I have three slightly different queries on the same data set.

(1)
general_attribute="foo" special_attribute="A" | timechart span="1d" dc(user)

(2)
general_attribute="foo" special_attribute="B" | timechart span="1d" dc(user)

(3)
general_attribute="foo" special_attribute="C" | timechart span="1d" dc(user)

I would like to see all three of them in one chart. E.g a bar chart with 3 bars per day.
Is this possible with Splunk?

Thanks,
Lars

martin_mueller · ‎07-21-2014

Sure.

 general_attribute="foo" (special_attribute="A" OR special_attribute="B" OR special_attribute="C") | timechart span="1d" dc(user) by special_attribute

Common visualizations for this are (stacked) columns, (stacked) area, or line charts depending on the meaning of the data and the viewer.

View solution in original post

martin_mueller · ‎07-21-2014

Sure.

 general_attribute="foo" (special_attribute="A" OR special_attribute="B" OR special_attribute="C") | timechart span="1d" dc(user) by special_attribute

Common visualizations for this are (stacked) columns, (stacked) area, or line charts depending on the meaning of the data and the viewer.

larsxschneider · ‎07-21-2014

Works great, thank you!!

How to merge 3 timecharts into one?

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Join the Conversation

How to merge 3 timecharts into one?

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events