Re: how copmare two table values in one visualisat...

unsmoker · ‎08-02-2017

I have 2 tables with energy spent values by month of years, one for 2015 other for 2016. Can I put two table values in one table chart visualisation table?

DalJeanis · ‎08-03-2017

Yes, you can append them together ...

| inputcsv myfirstfile.csv | inputcsv append=t mysecondfile.csv

... here's a way to simulate those results ...

| makeresults count=24 | streamstats count as monthno  
| eval _time=relative_time(_time,"-3y@y-1mon+".monthno."mon@mon") 
| eval usage=100*(50+ random()%50+random()%50)
| rename COMMENT as "The above just makes 24 months of data"

...and then either ...

1) make a 1-year graph with two series, one for each year...

| eval Year = strftime(_time,"%Y") 
| eval Month = strftime(_time,"%m %b") 
| eval _time = if(Year="2014", relative_time(_time,"+1y"),_time)
| chart sum(usage) over Month by Year

... or ...

2) make a single 2-year graph ...

| timechart sum(usage) by Year
| where _time=86400*floor(_time/86400)

The last part is to get rid of some garbage records that timechart has been adding onto the end lately

how copmare two table values in one visualisation charts?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

how copmare two table values in one visualisation charts?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES