Hi All,
I want to merge two timecharts in a single panel, I have a file transmission tracker query A - which tracks when the file transmisiion occurs.
Query B - tracks the triggered alerts ( negative condition - when the file doesnt come)
A:
index="fxr" fxr_ftpup_filename="DMM02YBRYBRPACEAVAILCOLLAT_*04*" OR fxr_ftpup_filename="DMM01YBRYBRCOLLATNAV_*05*" OR fxr_ftpup_filename="DMM10YBRDMMPaceRepoedgeInstruments_*_02*" OR fxr_ftpup_filename="DMM04YBRYBRPACEREPOTRD_*04*" OR fxr_ftpup_filename="DMM04YBRYBRPACEOTCTRD_*04*" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) as FileTransmissionTime | rename fxr_ftpup_filename as FileName,fxr_status as Status| replace "DMM01YBRYBRCOLLATNAV_*05*" with "EXPALGONAV-BNYM TO DMM NAV","DMM02YBRYBRPACEAVAILCOLLAT_*04*" with "EXPALGOPOF-BNYM TO DMM Free Inventory","DMM10YBRDMMPaceRepoedgeInstruments_*_02*" with "EVNT- PRICE DEMAND 01:30AM","DMM04YBRYBRPACEREPOTRD_*04*" with "EXPALGOPOR-BNYM TO DMM Repo Transaction","DMM04YBRYBRPACEOTCTRD_*04*" with "EXPALGOOTC-BNYM TO DMM OTC Transaction" in FileName | timechart span=1m count by FileName
B:
index=_audit action=alert_fired ss_app=search |convert ctime(trigger_time) as Time | timechart count(ss_name) by ss_name
How to merge these both and show it in a single timechart.
Try this,
index="fxr" fxr_ftpup_filename="DMM02YBRYBRPACEAVAILCOLLAT_04" OR fxr_ftpup_filename="DMM01YBRYBRCOLLATNAV_05" OR fxr_ftpup_filename="DMM10YBRDMMPaceRepoedgeInstruments__02" OR fxr_ftpup_filename="DMM04YBRYBRPACEREPOTRD_04" OR fxr_ftpup_filename="DMM04YBRYBRPACEOTCTRD_04" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time) as FileTransmissionTime | rename fxr_ftpup_filename as FileName,fxr_status as Status| replace "DMM01YBRYBRCOLLATNAV05" with "EXPALGONAV-BNYM TO DMM NAV","DMM02YBRYBRPACEAVAILCOLLAT_04" with "EXPALGOPOF-BNYM TO DMM Free Inventory","DMM10YBRDMMPaceRepoedgeInstruments__02" with "EVNT- PRICE DEMAND 01:30AM","DMM04YBRYBRPACEREPOTRD_04" with "EXPALGOPOR-BNYM TO DMM Repo Transaction","DMM04YBRYBRPACEOTCTRD_04" with "EXPALGOOTC-BNYM TO DMM OTC Transaction" in FileName | timechart span=1m count by FileName
| appendcols
[ search index=_audit action=alert_fired ss_app=search |convert ctime(trigger_time) as Time | timechart span=1m count(ss_name) by ss_name]
Have you looked at this approach? Might be what you are looking for.
http://answers.splunk.com/answers/7556/timechart-how-do-i-combine-these-two-charts-into-one.html