Solved: Merge two line charts

super_virus · ‎11-16-2017

Hi ,

Very new to splunk.
I need to search a index with two strings example:

"ABC1"
"XVZ2"

And create a line graphs of the count of time we found those two strings. I have two searches that do this for each string and create separate graphs .

Graph 1 : index=index_name host="host1" OR "host2" "ABC1" | timechart count(_raw) as error span=1h
GRAPH 2 : index=index_name host="host1" OR "host2" "XVZ2"| timechart count(_raw) as warning span=1h

How can i merge these graphs? I need to have one chart with two lines (one for error and other for warning ) representing the above searches . Please help.

somesoni2 · ‎11-16-2017

Try like this

index=index_name (host="host1" OR "host2") "ABC1" OR "XVZ2"
| eval error=if(searchmatch("ABC1"),1,0)
| eval warning=if(searchmatch( "XVZ2"),1,0)
| timechart span=1h sum(error) as error sum(warning) as warning

View solution in original post

somesoni2 · ‎11-16-2017

Try like this

index=index_name (host="host1" OR "host2") "ABC1" OR "XVZ2"
| eval error=if(searchmatch("ABC1"),1,0)
| eval warning=if(searchmatch( "XVZ2"),1,0)
| timechart span=1h sum(error) as error sum(warning) as warning

super_virus · ‎11-16-2017

Thanks ! This works!

Merge two line charts

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Merge two line charts

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!