Solved: Combining two line charts displaying values from t...

zd00191 · ‎07-01-2015

I have 2 searches :`

 index=os_windows Host="usatlb9*" object="Network Interface" counter="Bytes Total/sec" |timechart span=30m max(Value) as           "Total Bytes Per Second" by host

 index=os_windows Host="usatlb9*" object="Network Interface" counter="Current Bandwidth" |timechart span=30m max(Value) as "Maximum Network Bandwidth" by host

The field name, 'Value', is the same in both searches. I want to combine both of these line charts into one line chart so that I can see the total bytes per second over the maximum network bandwidth .

Please help! Thanks!

woodcock · ‎07-01-2015

This will do it:

index=os_windows Host="usatlb9*" object="Network Interface" | bucket _time span=30m | stats max(Value) AS Max by _time host counter | timechart span=30m first(Max) AS "Total Bytes Per Second" last(Max) AS "Maximum Network Bandwidth" by host

You might have to swap the names around (the part after AS).
WARNING: There will be problems if you have any period of 30 minutes without at least 1 log for each object+host

View solution in original post

woodcock · ‎07-01-2015

This will do it:

index=os_windows Host="usatlb9*" object="Network Interface" | bucket _time span=30m | stats max(Value) AS Max by _time host counter | timechart span=30m first(Max) AS "Total Bytes Per Second" last(Max) AS "Maximum Network Bandwidth" by host

You might have to swap the names around (the part after AS).
WARNING: There will be problems if you have any period of 30 minutes without at least 1 log for each object+host

Combining two line charts displaying values from the same field name

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life