Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Dashboards & Visualizations
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to merge two timecharts in a single dashbo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to merge two timecharts in a single dashboard panel?
xbbj3nj
Path Finder
11-03-2014
12:18 AM
Hi All,
I want to merge two timecharts in a single panel, I have a file transmission tracker query A - which tracks when the file transmisiion occurs.
Query B - tracks the triggered alerts ( negative condition - when the file doesnt come)
A:
index="fxr" fxr_ftpup_filename="DMM02YBRYBRPACEAVAILCOLLAT_*04*" OR fxr_ftpup_filename="DMM01YBRYBRCOLLATNAV_*05*" OR fxr_ftpup_filename="DMM10YBRDMMPaceRepoedgeInstruments_*_02*" OR fxr_ftpup_filename="DMM04YBRYBRPACEREPOTRD_*04*" OR fxr_ftpup_filename="DMM04YBRYBRPACEOTCTRD_*04*" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) as FileTransmissionTime | rename fxr_ftpup_filename as FileName,fxr_status as Status| replace "DMM01YBRYBRCOLLATNAV_*05*" with "EXPALGONAV-BNYM TO DMM NAV","DMM02YBRYBRPACEAVAILCOLLAT_*04*" with "EXPALGOPOF-BNYM TO DMM Free Inventory","DMM10YBRDMMPaceRepoedgeInstruments_*_02*" with "EVNT- PRICE DEMAND 01:30AM","DMM04YBRYBRPACEREPOTRD_*04*" with "EXPALGOPOR-BNYM TO DMM Repo Transaction","DMM04YBRYBRPACEOTCTRD_*04*" with "EXPALGOOTC-BNYM TO DMM OTC Transaction" in FileName | timechart span=1m count by FileName
B:
index=_audit action=alert_fired ss_app=search |convert ctime(trigger_time) as Time | timechart count(ss_name) by ss_name
How to merge these both and show it in a single timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vasanthmss
Motivator
11-03-2014
11:55 AM
Try this,
index="fxr" fxr_ftpup_filename="DMM02YBRYBRPACEAVAILCOLLAT_04" OR fxr_ftpup_filename="DMM01YBRYBRCOLLATNAV_05" OR fxr_ftpup_filename="DMM10YBRDMMPaceRepoedgeInstruments__02" OR fxr_ftpup_filename="DMM04YBRYBRPACEREPOTRD_04" OR fxr_ftpup_filename="DMM04YBRYBRPACEOTCTRD_04" | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(time) as FileTransmissionTime | rename fxr_ftpup_filename as FileName,fxr_status as Status| replace "DMM01YBRYBRCOLLATNAV05" with "EXPALGONAV-BNYM TO DMM NAV","DMM02YBRYBRPACEAVAILCOLLAT_04" with "EXPALGOPOF-BNYM TO DMM Free Inventory","DMM10YBRDMMPaceRepoedgeInstruments__02" with "EVNT- PRICE DEMAND 01:30AM","DMM04YBRYBRPACEREPOTRD_04" with "EXPALGOPOR-BNYM TO DMM Repo Transaction","DMM04YBRYBRPACEOTCTRD_04" with "EXPALGOOTC-BNYM TO DMM OTC Transaction" in FileName | timechart span=1m count by FileName
| appendcols
[ search index=_audit action=alert_fired ss_app=search |convert ctime(trigger_time) as Time | timechart span=1m count(ss_name) by ss_name]
V
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk314
Builder
11-03-2014
10:33 AM
Have you looked at this approach? Might be what you are looking for.
http://answers.splunk.com/answers/7556/timechart-how-do-i-combine-these-two-charts-into-one.html
Get Updates on the Splunk Community!
Join Us for Splunk University and Get Your Bootcamp Game On!
If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
