Solved: Timechart, 2nd field value on the chart

dfofie · ‎10-22-2018

I have a timechart,

But I've liked to display another field value directly on one chart line. (see the picture)

This is the query I'm using:
index="testing_cc_ps" sourcetype="prc_l4_rqmt_progress" | eval newTime=strptime(date, "%Y-%m-%d") | eval _time=newTime | table _time, type, value | timechart span=1d values(value) by type usenull=false useother=f
The is a third field called Milestone, is it any possibility to write a query that can also plot those milestone on the chart ?
Best regards.

kmaron · ‎10-23-2018

try the appendcols command: https://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Appendcols

index="testing_cc_ps" sourcetype="prc_l4_rqmt_progress" 
| eval newTime=strptime(date, "%Y-%m-%d") 
| eval _time=newTime 
| table _time, type, value 
| timechart span=1d values(value) by type usenull=false useother=f
| appendcols [search (base search stuff) | timechart for milestones]

View solution in original post

kmaron · ‎10-23-2018

try the appendcols command: https://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Appendcols

index="testing_cc_ps" sourcetype="prc_l4_rqmt_progress" 
| eval newTime=strptime(date, "%Y-%m-%d") 
| eval _time=newTime 
| table _time, type, value 
| timechart span=1d values(value) by type usenull=false useother=f
| appendcols [search (base search stuff) | timechart for milestones]

Timechart, 2nd field value on the chart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation