Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how copmare two table values in one visualisation charts?

unsmoker
New Member
‎08-02-2017 09:32 PM

I have 2 tables with energy spent values by month of years, one for 2015 other for 2016. Can I put two table values in one table chart visualisation table?

Tags (3)
0 Karma
Reply

DalJeanis
Legend
‎08-03-2017 01:32 PM

Yes, you can append them together ...

| inputcsv myfirstfile.csv | inputcsv append=t mysecondfile.csv

... here's a way to simulate those results ...

| makeresults count=24 | streamstats count as monthno  
| eval _time=relative_time(_time,"-3y@y-1mon+".monthno."mon@mon") 
| eval usage=100*(50+ random()%50+random()%50)
| rename COMMENT as "The above just makes 24 months of data"

...and then either ...

1) make a 1-year graph with two series, one for each year...

| eval Year = strftime(_time,"%Y") 
| eval Month = strftime(_time,"%m %b") 
| eval _time = if(Year="2014", relative_time(_time,"+1y"),_time)
| chart sum(usage) over Month by Year

... or ...

2) make a single 2-year graph ... 

| timechart sum(usage) by Year
| where _time=86400*floor(_time/86400)

The last part is to get rid of some garbage records that timechart has been adding onto the end lately

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...