Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Merging two chart together

carrotball
New Member
‎03-07-2013 10:56 PM

Hi,

I'm currently have 2 charts, one is the number of sms sent during office hour, the other is after office hour. is there any way i can merge the 2 search queries as one?

sourcetype="CAS-v3" sender!="CHI" sender!="PNSMS" dept=TSID recipient="HEAT*" | where date_hour>8 and date_hour<19 | timechart span="month" count by recipient

sourcetype="CAS-v3" sender!="CHI" sender!="PNSMS" dept=TSID recipient="HEAT*" | where date_hour<8 or date_hour>19 | timechart span="month" count by recipient

Tags (1)
0 Karma
Reply

Ayn
Legend
‎03-08-2013 12:10 AM 
sourcetype="CAS-v3" sender!="CHI" sender!="PNSMS" dept=TSID recipient="HEAT*" | eval hour_type=case(date_hour>=8 AND date_hour<19,"office hours",date_hour<8 OR date_hour>=19,"outside office hours") |timechart span=1mon count by recipient,hour_type
Reply

carrotball
New Member
‎03-10-2013 11:04 PM

hmmmmm
thanks for the help, the second one works but cant display it by month...

wondering if i can tune it more. time to go read lol

0 Karma
Reply

MuS
Legend
‎03-08-2013 02:31 AM

I wonder if this will work, because 'timechart' can only take one 'split by' series, 'chart' can take two.

So for timechart it would be:
...| timechart span=1mon count(recipient) by hour_type

and for chart it would be:
...| chart count by recipient,hour_type

on the other hand, count(recipient) will count all events that have a recipient and not events for each recipient....

Reply

MuS
Legend
‎03-08-2013 01:54 AM

hmmmmm I must be doing something wrong here Ayn, but I get an 'Error in 'timechart' command: The argument 'hour_type' is invalid.' if I use your search?

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...