Re: Merging two chart together

carrotball · ‎03-07-2013

Hi,

I'm currently have 2 charts, one is the number of sms sent during office hour, the other is after office hour. is there any way i can merge the 2 search queries as one?

sourcetype="CAS-v3" sender!="CHI" sender!="PNSMS" dept=TSID recipient="HEAT*" | where date_hour>8 and date_hour<19 | timechart span="month" count by recipient

sourcetype="CAS-v3" sender!="CHI" sender!="PNSMS" dept=TSID recipient="HEAT*" | where date_hour<8 or date_hour>19 | timechart span="month" count by recipient

Ayn · ‎03-08-2013

sourcetype="CAS-v3" sender!="CHI" sender!="PNSMS" dept=TSID recipient="HEAT*" | eval hour_type=case(date_hour>=8 AND date_hour<19,"office hours",date_hour<8 OR date_hour>=19,"outside office hours") |timechart span=1mon count by recipient,hour_type

carrotball · ‎03-10-2013

hmmmmm
thanks for the help, the second one works but cant display it by month...

wondering if i can tune it more. time to go read lol

MuS · ‎03-08-2013

I wonder if this will work, because 'timechart' can only take one 'split by' series, 'chart' can take two.

So for timechart it would be:
...| timechart span=1mon count(recipient) by hour_type

and for chart it would be:
...| chart count by recipient,hour_type

on the other hand, count(recipient) will count all events that have a recipient and not events for each recipient....

MuS · ‎03-08-2013

hmmmmm I must be doing something wrong here Ayn, but I get an 'Error in 'timechart' command: The argument 'hour_type' is invalid.' if I use your search?

Merging two chart together

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk