Splunk Search

How to overlay two searches on the same chart in Splunk 6.1 or 6.2?

hlarimer
Communicator

I have 2 searches and would like to overlay them on the same chart. The first creates a stacked column chart:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType

The second creates a line graph:
index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count

Any way to simply overlay these in Splunk 6.1 or 6.2?

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Without the dedup I'd throw them into one simple search, with the dedup I'd fall back to pesky appendcols:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
| appendcols
  [index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count as Status_Resolved]

Set the line overlay to show the StatusResolved field.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Without the dedup I'd throw them into one simple search, with the dedup I'd fall back to pesky appendcols:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
| appendcols
  [index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count as Status_Resolved]

Set the line overlay to show the StatusResolved field.

hlarimer
Communicator

Thanks Martin, I just had to add "search" after the first "[" and it worked great.

martin_mueller
SplunkTrust
SplunkTrust

Ooooops :grinning_face_with_smiling_eyes:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...