Solved: Merge two line charts

super_virus · ‎11-16-2017

Hi ,

Very new to splunk.
I need to search a index with two strings example:

"ABC1"
"XVZ2"

And create a line graphs of the count of time we found those two strings. I have two searches that do this for each string and create separate graphs .

Graph 1 : index=index_name host="host1" OR "host2" "ABC1" | timechart count(_raw) as error span=1h
GRAPH 2 : index=index_name host="host1" OR "host2" "XVZ2"| timechart count(_raw) as warning span=1h

How can i merge these graphs? I need to have one chart with two lines (one for error and other for warning ) representing the above searches . Please help.

somesoni2 · ‎11-16-2017

Try like this

index=index_name (host="host1" OR "host2") "ABC1" OR "XVZ2"
| eval error=if(searchmatch("ABC1"),1,0)
| eval warning=if(searchmatch( "XVZ2"),1,0)
| timechart span=1h sum(error) as error sum(warning) as warning

View solution in original post

somesoni2 · ‎11-16-2017

Try like this

index=index_name (host="host1" OR "host2") "ABC1" OR "XVZ2"
| eval error=if(searchmatch("ABC1"),1,0)
| eval warning=if(searchmatch( "XVZ2"),1,0)
| timechart span=1h sum(error) as error sum(warning) as warning

super_virus · ‎11-16-2017

Thanks ! This works!

Merge two line charts

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

Merge two line charts

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk