Splunk Search

combine two line report in single chart

Communicator

Hi,

I want to merge two line chart report from two different sourcetype in single chart.

e.g. index="OCSMONITOR" source=*process* | timechart span=1m count(_raw) | [merge] |
index="OCSMONITOR" source=*new* | timechart span=1m count(_raw)

please suggest me how should i do this ?

Tags (2)
0 Karma

Legend

Try this

 index="OCSMONITOR" source=*process* OR source=*new* | timechart span=1m count by source

or this

index="OCSMONITOR" source=*process* OR source=*new* 
| eval type=if(match(source,"process"),"process","new")
| timechart span=1m count by type

SplunkTrust
SplunkTrust

Try this

 index="OCSMONITOR" source=process OR source=new | timechart span=1m count(eval(source="process")) as CountProcess count(eval(source="new")) as CountProcess