Splunk Search

How to show results from two indexes in single timechart visualization?

kiran331
Builder

HI

I have two data sources, how can I show them in a single time chart graph? Search I'm trying

(index=abc result=a) OR (index=xyz find=c)|timechart span=10m count by index
0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi kiran331,

Can you please try this one??

(index=abc result=a) OR (index=abc result=b ) OR (index=xyz find=c ) 
| eval field = if(isnotnull(result) AND ((index="abc" AND (result="a" OR result="b"))),result,if(isnotnull(find) AND (index="xyz" AND find="c"),find,'undefined'))
| timechart span=10m count by field

Thanks
Kamlesh

0 Karma

woodcock
Esteemed Legend

Try this:

(index=abc result=a) OR (index=abc result=b) OR (index=xyz find=c)
| eval field=case(index="xyz", "c",
                  result="a", "a",
                  result="b", "b",
                  true(), "N/A")
| timechart span=10m count BY field

somesoni2
SplunkTrust
SplunkTrust

You can't use eval within base search like that. You should add it after the base search using an expression based on index name. Like this

(index=abc result=a) OR (index=abc result=b|eval field=b) OR (index=xyz find=c|eval field=c)
| eval field=case(index="abc" AND result="a","a",index="abc" AND result="b", "b", index="xyz" AND find="c", "c", true(),"undefined")
|timechart span=10m count by field
0 Karma

woodcock
Esteemed Legend

You left the eval parts in your base search.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What issue do you see with your current query? It should give you two line (assuming you're using line chart) for both indexes into one.

0 Karma

kiran331
Builder

HI Somesoni2,

I have events from the 2 same indexes, I'm not able use count by index, when I try to use eval new=field its showing error.

search I'm trying:

(index=abc result=a|eval field=a) OR (index=abc result=b|eval field=b) OR (index=xyz find=c|eval field=c)|timechart span=10m count by field

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...