Solved: Re: Put multiple timecharts into one

deanamite91 · ‎09-22-2015

I have three timecharts which I want to sum together.

index="commercial_performance" Cat1="Entitlement *" | timechart limit=0 sum(Value) by Service_line
index="commercial_performance" Cat1="Efficiency *" | timechart limit=0  sum(Value) by Service_line
index="commercial_performance" Cat1="Intervention *" | timechart limit=0  sum(Value) by Service_line

I have tried appendcols but it didn't seen to work. Can someone help?

somesoni2 · ‎09-22-2015

Try something like this (to get one sum of Value per Service_line for all of Cat1 field)

index="commercial_performance" Cat1="Entitlement *" OR  Cat1="Efficiency *" OR  Cat1="Intervention *"  | timechart limit=0  sum(Value) by Service_line

If you want have one sum of Value per Service_line per Cat1, tryr this

   index="commercial_performance" Cat1="Entitlement *" OR  Cat1="Efficiency *" OR  Cat1="Intervention *"  | eval Service_line=Service_line."-".Cat1| timechart limit=0  sum(Value) by Service_line

View solution in original post

somesoni2 · ‎09-22-2015

Try something like this (to get one sum of Value per Service_line for all of Cat1 field)

index="commercial_performance" Cat1="Entitlement *" OR  Cat1="Efficiency *" OR  Cat1="Intervention *"  | timechart limit=0  sum(Value) by Service_line

If you want have one sum of Value per Service_line per Cat1, tryr this

   index="commercial_performance" Cat1="Entitlement *" OR  Cat1="Efficiency *" OR  Cat1="Intervention *"  | eval Service_line=Service_line."-".Cat1| timechart limit=0  sum(Value) by Service_line

Put multiple timecharts into one

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor