Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Merging TWO Timecharts overlay-One on Top of One A...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following search.
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" eventtype=autosys_initiated_jobs |timechart span=1d count(JOB_NAME) as Count |append [search index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" eventtype=autosys_initiated_jobs earliest=07/12/2015:0:0:0 latest=07/27/2015:0:0:0 |timechart span=1d count(JOB_NAME) |rename count(JOB_NAME) as "Close-Freeze Period" |fields "Close-Freeze Period"]
I want the subsearch timechart to be an overlay on top of the first timechart. At the moment, the two timecharts are displayed next to one another. I would like them to be on top of one another. Please help! Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try - index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" eventtype=autosys_initiated_jobs |timechart span=1d count(JOB_NAME) as Count |append [search index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" eventtype=autosys_initiated_jobs earliest=07/12/2015:0:0:0 latest=07/27/2015:0:0:0 |timechart span=1d count(JOB_NAME) |rename count(JOB_NAME) as "Close-Freeze Period" |fields "Close-Freeze Period"] | timechart first(*) as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just making the answer generic
<your_query_with_timestamp>| timechart span=1h avg(datapoint1)
| appendcols [ | search <your_query_with_timestamp> | timechart span=1h avg(datapoint2)]
Things to note
1. timechart "span" should be similar
2. timezone of data should be similar
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should work:
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" eventtype=autosys_initiated_jobs | timechart span=1d count(JOB_NAME) as Count | appendcols [search index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" eventtype=autosys_initiated_jobs earliest=07/12/2015:0:0:0 latest=07/27/2015:0:0:0 | timechart span=1d count(JOB_NAME) AS "Close-Freeze Period" | fields "Close-Freeze Period"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try - index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" eventtype=autosys_initiated_jobs |timechart span=1d count(JOB_NAME) as Count |append [search index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" System="*" eventtype=autosys_initiated_jobs earliest=07/12/2015:0:0:0 latest=07/27/2015:0:0:0 |timechart span=1d count(JOB_NAME) |rename count(JOB_NAME) as "Close-Freeze Period" |fields "Close-Freeze Period"] | timechart first(*) as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Really help out! Thanks!
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
