Solved: How to use timechart to get two different timechar...

zqmirza · ‎08-17-2016

I am using the search below to get two different averages from two different indexes:

index=a| bucket _time span=4h | stats avg(session_count) as X by _time
| append [search index=b| bucket _time span=4h | stats avg(session_count) as Y by _time]

Now I want a time chart to sum X & Y in each of the 4 hour time frames
Can you please see the search I wrote and suggest how to get this result?

renjith_nair · ‎08-18-2016

Try this

(index=a OR index=b)|timechart span=4h usenull=f avg(session_count) by index|eval sum=a+b

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎08-18-2016

Try this

(index=a OR index=b)|timechart span=4h usenull=f avg(session_count) by index|eval sum=a+b

---
What goes around comes around. If it helps, hit it with Karma 🙂

zqmirza · ‎08-20-2016

yes, it's working just need to use the fields - a, b to only show the sum. Great! Thanks.

How to use timechart to get two different timechart averages, then get a sum of those two values in each time span?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How to use timechart to get two different timechart averages, then get a sum of those two values in each time span?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!