Solved: How to overlay two searches on the same chart in S...

hlarimer · ‎11-18-2014

I have 2 searches and would like to overlay them on the same chart. The first creates a stacked column chart:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType

The second creates a line graph:
index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count

Any way to simply overlay these in Splunk 6.1 or 6.2?

martin_mueller · ‎11-18-2014

Without the dedup I'd throw them into one simple search, with the dedup I'd fall back to pesky appendcols:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
| appendcols
  [index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count as Status_Resolved]

Set the line overlay to show the StatusResolved field.

View solution in original post

martin_mueller · ‎11-18-2014

Without the dedup I'd throw them into one simple search, with the dedup I'd fall back to pesky appendcols:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
| appendcols
  [index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count as Status_Resolved]

Set the line overlay to show the StatusResolved field.

hlarimer · ‎11-18-2014

Thanks Martin, I just had to add "search" after the first "[" and it worked great.

martin_mueller · ‎11-18-2014

Ooooops 😄

How to overlay two searches on the same chart in Splunk 6.1 or 6.2?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!