Solved: compare three searches in one timechart by month w...

thirumalreddyb · ‎05-23-2013

I am trying to display all the searches on single chart. My moto is to compare "first search", "second search", and "third search" in one timechart. Please help me

index="xyz" | timechart count(start_date) by month| rename NULL as "first search"

index="xyz" NOT login_id=0 | timechart count by login_id as "second search"

index="xyz" lead_comp_pct>="70" |search remote_comp_pct>="70" | search NOT login_duration_in_hours=0 | timechart count(start_date) as "third search"

wpreston · ‎05-23-2013

One way of doing this is to make use of the eval, append and stats commands. To show them all on the same chart, you need your search results all comparing apples to apples, as it were. You get your search results all in the same format with the necessary fields by using stats and create an arbitrary field using eval to identify each set of results as coming from the appropriate search (or however you want to differentiate them), then append your second and third searches (also using stats for formatting and fields) to your first search's results with append, then report on the final dataset with timechart. See if something like this will work for you:

index="xyz"  
    | eval SearchNumber="First Search" 
    | stats count(start_date) by SearchNumber, _time
    | append [search index="xyz" NOT login_id=0 
        | eval SearchNumber="Second Search"
        | stats count by SearchNumber, _time] 
        | append [search index="xyz" lead_comp_pct>=70 remote_comp_pct>=70 NOT login_duration_in_hours=0 
            | eval SearchNumber="Third Search"
            | stats count (start_date) by Search_Number, _time]
    | timechart count by SearchNumber span=mon

Modify the search however you need but this should illustrate the concept. I put in extra line breaks here so that the search is more readable, but you probably don't want them in your search bar. Also, I'm sure there are other ways of achieving what you need this but this is what comes to mind.

View solution in original post

wpreston · ‎05-23-2013

One way of doing this is to make use of the eval, append and stats commands. To show them all on the same chart, you need your search results all comparing apples to apples, as it were. You get your search results all in the same format with the necessary fields by using stats and create an arbitrary field using eval to identify each set of results as coming from the appropriate search (or however you want to differentiate them), then append your second and third searches (also using stats for formatting and fields) to your first search's results with append, then report on the final dataset with timechart. See if something like this will work for you:

index="xyz"  
    | eval SearchNumber="First Search" 
    | stats count(start_date) by SearchNumber, _time
    | append [search index="xyz" NOT login_id=0 
        | eval SearchNumber="Second Search"
        | stats count by SearchNumber, _time] 
        | append [search index="xyz" lead_comp_pct>=70 remote_comp_pct>=70 NOT login_duration_in_hours=0 
            | eval SearchNumber="Third Search"
            | stats count (start_date) by Search_Number, _time]
    | timechart count by SearchNumber span=mon

Modify the search however you need but this should illustrate the concept. I put in extra line breaks here so that the search is more readable, but you probably don't want them in your search bar. Also, I'm sure there are other ways of achieving what you need this but this is what comes to mind.

compare three searches in one timechart by month wise

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!