how to combine two searches into one chart using c...

florapann · ‎11-07-2021

i have initial query with one index name(index1) which show F10N F10W F11 etc values in one chart but for F6 value comes from different index (index2) . how should i combine that F6 value into one chart.

index1 : MicronSite IN($input_site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?<AvgTotalTrackoutTime>\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h by MicronSite

index2 : MicronSite=F6 index=mfg source=command_times area_id=Fabwide command_name IN (SigmaRunComplete,MESLotTrackOut)
| timechart partial=f span=12h aligntime=@d+7h avg(avg) by command_name
| addtotals fieldname=AvgTotalTrackoutTime

ITWhisperer · ‎11-07-2021

Try something like this

index1 : MicronSite IN($input_site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?<AvgTotalTrackoutTime>\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h by MicronSite
| join type=left _time [
search index2 : MicronSite=F6 index=mfg source=command_times area_id=Fabwide command_name IN (SigmaRunComplete,MESLotTrackOut)
| timechart partial=f span=12h aligntime=@d+7h avg(avg) by command_name
| addtotals fieldname=AvgTotalTrackoutTime
]

florapann · ‎11-07-2021

when i run the query , it shows below like this. how should i remove that two column from chart?

ITWhisperer · ‎11-08-2021

| fields - MESLofTrackOut SignalRunComplete

how to combine two searches into one chart using checkbox input value

chart

join

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?