HI @aasabatini 

I am joining two queries in order to show both result in one graph,please refer below query

index="cx_aws" host="aw-lx0244.deltadev.ent" source ="pf-enrollee-family-roster-service" AND ("/persons/" OR "/contracts/") AND HttpStatusCode|bucket _time span=1h | stats count by _time |append [search index="cx_aws" host="aw-lx0244.deltadev.ent" source="pf-enrollee-family-roster-service" AND ("/persons/" OR "/contracts/") AND HttpStatusCode | eval TimeTaken3 = trim(replace(TimeTaken, ",","")) | eval REQUESTED_URL2 = trim(replace(REQUESTED_URL, "/contracts/",""))| eval REQUESTED_URL3 = trim(replace(REQUESTED_URL2, "/enrollees","")) | sort -num(TimeTaken3) | WHERE TimeTaken3>10000|bucket _time span=1h | stats count by _time]


But i am getting only one graph,in this graph only both query results are showing,refer below

but i need two lines (one for each query) in the graph

Hi @vinod0313 

sorry for the late reply.

I think you set the count field with the same name, try to modify the count name for each search.

example

index="cx_aws" host="aw-lx0244.deltadev.ent" source ="pf-enrollee-family-roster-service" AND ("/persons/" OR "/contracts/") AND HttpStatusCode|bucket _time span=1h | stats count as search1_count by _time |append [search index="cx_aws" host="aw-lx0244.deltadev.ent" source="pf-enrollee-family-roster-service" AND ("/persons/" OR "/contracts/") AND HttpStatusCode | eval TimeTaken3 = trim(replace(TimeTaken, ",","")) | eval REQUESTED_URL2 = trim(replace(REQUESTED_URL, "/contracts/",""))| eval REQUESTED_URL3 = trim(replace(REQUESTED_URL2, "/enrollees","")) | sort -num(TimeTaken3) | WHERE TimeTaken3>10000|bucket _time span=1h | stats count as search2_count by _time]