Solved: Re: Merge two line charts

super_virus · ‎11-16-2017

Hi ,

Very new to splunk.
I need to search a index with two strings example:

"ABC1"
"XVZ2"

And create a line graphs of the count of time we found those two strings. I have two searches that do this for each string and create separate graphs .

Graph 1 : index=index_name host="host1" OR "host2" "ABC1" | timechart count(_raw) as error span=1h
GRAPH 2 : index=index_name host="host1" OR "host2" "XVZ2"| timechart count(_raw) as warning span=1h

How can i merge these graphs? I need to have one chart with two lines (one for error and other for warning ) representing the above searches . Please help.

somesoni2 · ‎11-16-2017

Try like this

index=index_name (host="host1" OR "host2") "ABC1" OR "XVZ2"
| eval error=if(searchmatch("ABC1"),1,0)
| eval warning=if(searchmatch( "XVZ2"),1,0)
| timechart span=1h sum(error) as error sum(warning) as warning

View solution in original post

somesoni2 · ‎11-16-2017

Try like this

index=index_name (host="host1" OR "host2") "ABC1" OR "XVZ2"
| eval error=if(searchmatch("ABC1"),1,0)
| eval warning=if(searchmatch( "XVZ2"),1,0)
| timechart span=1h sum(error) as error sum(warning) as warning

super_virus · ‎11-16-2017

Thanks ! This works!

Merge two line charts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation