Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need to Create Two Time Series in One Chart

msettipane
Splunk Employee
Splunk Employee
‎11-28-2012 07:26 AM

Answer below.

0 Karma
Reply

msettipane
Splunk Employee
Splunk Employee
‎11-28-2012 07:27 AM

Credit to Dritan.

Plotting two time-series in one chart is a frequent ask from many of our customers. After several related questions/requests in chat and mailing lists I decided to create and share three macros to facilitate this. They draw two time-series graphs by using a single search while manipulating the _time field and then keying the series off of a new field. Of course, there are several ways to achieve this, as witnessed in Answers and elsewhere, so feel free to modify as necessary. But whatever smart changes and improvements you make (such as parametrize even further ex. the time range, the span etc), please share.

macros.conf

hour over hour compare, 1m span

[twoseries_h(2)]
args = search, measure
definition = $search$ earliest=-1h@h \
| bin span=1m _time\
| addinfo\
| eval marker = if(_time < info_min_time + 3600, "Last Hour", "Current Hour") \
| eval _time = if(_time < info_min_time + 3600, _time + 3600, _time) \
| chart $measure$ by _time marker
iseval = 0

day over day compare, 15m span

[twoseries_d(2)]
args = search, measure
definition = $search$ earliest=-1d@d \
| bin span=15m _time\
| addinfo\
| eval marker = if(_time < info_min_time + 24*3600, "Yesterday", "Today") \
| eval _time = if(_time < info_min_time + 24*3600, _time + 24*3600, _time) \
| chart $measure$ by _time marker
iseval = 0

week over week compare, 1h span

[twoseries_w(2)]
args = search, measure
definition = $search$ earliest=-1w@w\
| bin span=1h _time\
| addinfo\
| eval marker = if(_time < info_min_time + 7*24*3600, "Last Week", "Current Week") \
| eval _time = if(_time < info_min_time + 7*24*3600, _time + 7*24*3600, _time) \
| chart $measure$ by _time marker
iseval = 0

Sample Searches:

Event Count: Current Hour vs. Last Hour

twoseries_h("index=_internal", count)

Indexing Thruput: Today vs. Yesterday
twoseries_d("index=_internal group=per_index_thruput series=_internal", "avg(kbps)")

Started Searches: Current Week vs. Last Week
twoseries_w("index=_internal source=*metrics.log group=searchscheduler", "sum(dispatched)")

More info here:
http://blogs.splunk.com/2012/02/19/compare-two-time-ranges-in-one-report/
http://splunk-base.splunk.com/answers/11350/2-searches-1-chart
http://splunk-base.splunk.com/answers/23345/2-searches-1-graph
http://splunk-base.splunk.com/answers/2712/line-chart-comparing-yesterdays-result-with-todays-result...

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...