Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multiple searches on one chart

ericrobinson
Path Finder
‎09-01-2010 08:28 PM

Is it possible to have multiple search results represented on one chart? I have (2) searches defined that extract and return results. I want to coorelate these result sets on the same chart. Is that possible?

Tags (1)
0 Karma
Reply

southeringtonp
Motivator
‎09-01-2010 09:30 PM

Not directly.

You need to combine the two searches into a single search, but each search should have some field that is consistent across all results. This may be as simple as an OR clause, e.g.:

(host=foo) OR (host=bar)

In that case, you can split your chart by series "host".

In more complex scenarios, you might need to resort to something like append to merge the two searches -- then you can artificially add the identifying field, like so:

host=foo | eval series=SearchNumberOne | append [ search host=bar | eval series=SearchNumberTwo ]

This should give you a field called "searchname" in all results -- in your chart, you can then split on "series" to get both distinct datasets.

For more information you might want to refer to How Subsearches Work in the docs, and look for the append and set commands in particular.

Finally, I don't think that charting will let you split by multiple fields. If it won't, and you need that, you can also get creative with eval and string concatenation to generate a new composite field, and split your series on that, e.g.:

| eval series="SearchNumberOne - "+src_ip
Reply

motobeats
Path Finder
‎07-03-2013 01:31 PM

But does work when I enclose the string in quotes (i.e. "SearchNumberTwo")

0 Karma
Reply

motobeats
Path Finder
‎07-03-2013 12:55 PM

This didn't work for me. I do not see a field called "searchname" when I do fieldsummary

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎09-30-2010 03:48 AM

More detail on graphing multiple split-by fields: http://www.splunk.com/base/Documentation/4.1.5/User/ReportOfMultipleDataSeries

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...