I have 2 searches and would like to overlay them on the same chart. The first creates a stacked column chart:
index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
The second creates a line graph:
index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count
Any way to simply overlay these in Splunk 6.1 or 6.2?
Without the dedup
I'd throw them into one simple search, with the dedup
I'd fall back to pesky appendcols
:
index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
| appendcols
[index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count as Status_Resolved]
Set the line overlay to show the StatusResolved
field.
Without the dedup
I'd throw them into one simple search, with the dedup
I'd fall back to pesky appendcols
:
index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
| appendcols
[index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count as Status_Resolved]
Set the line overlay to show the StatusResolved
field.
Thanks Martin, I just had to add "search" after the first "[" and it worked great.
Ooooops 😄