Splunk Search

Merge two line chart with different query in to single line chart

karthi25
Path Finder

I have two line chart with different queries as follows:

 <chart>
            <search>
              <query>index=*** source=*** |spath path=TestSplunkLog.TestFailureLog.payload.failureCount output=failureCount|spath path=TestSplunkLog.TestFailureLog.payload.startTime output=startDate| sort -splunkLogId | eval runDate = strftime(strptime(startDate, "%Y-%m-%d %H:%M"),"%Y-%m-%d %H:%M") | chart  values(failureCount) as FAILURERECORDCOUNT over runDate</query>
              <earliest>$dashboardTime.earliest$</earliest>
              <latest>$dashboardTime.latest$</latest>
              <refresh>30m</refresh>
              <refreshType>delay</refreshType>
            </search>
            <option name="charting.axisTitleX.text">Date</option>
            <option name="charting.axisTitleY.text">Record Count</option>
            <option name="charting.axisY.scale">linear</option>
            <option name="charting.chart">line</option>
            <option name="charting.chart.showDataLabels">none</option>
            <option name="charting.legend.placement">none</option>
          </chart>

    <chart>
            <search>
              <query>index=*** source=*** |spath path=TestSplunkLog.TestSuccessLog.payload.successCount output=successCount|spath path=TestSplunkLog.TestSuccessLog.payload.startTime output=startDate| sort -splunkLogId | eval runDate = strftime(strptime(startDate, "%Y-%m-%d %H:%M"),"%Y-%m-%d %H:%M") | chart  values(successCount) as SUCCESSRECORDCOUNT over runDate</query>
              <earliest>$dashboardTime.earliest$</earliest>
              <latest>$dashboardTime.latest$</latest>
              <refresh>30m</refresh>
              <refreshType>delay</refreshType>
            </search>
            <option name="charting.axisTitleX.text">Date</option>
            <option name="charting.axisTitleY.text">Record Count</option>
            <option name="charting.axisY.scale">linear</option>
            <option name="charting.chart">line</option>
            <option name="charting.chart.showDataLabels">none</option>
            <option name="charting.legend.placement">none</option>
          </chart>

Now, I want to merge this two line chart and convert it to single multi-line chart. Since the JSON path varies, I felt difficult to do this. Can anyone please help me on this.

0 Karma

woodcock
Esteemed Legend

Can you work with this?

index=*** source=*** |spath path=TestSplunkLog.TestSuccessLog.payload ...
0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...