Splunk Search

how copmare two table values in one visualisation charts?

unsmoker
New Member

I have 2 tables with energy spent values by month of years, one for 2015 other for 2016. Can I put two table values in one table chart visualisation table?

Tags (3)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Yes, you can append them together ...

| inputcsv myfirstfile.csv | inputcsv append=t mysecondfile.csv

... here's a way to simulate those results ...

| makeresults count=24 | streamstats count as monthno  
| eval _time=relative_time(_time,"-3y@y-1mon+".monthno."mon@mon") 
| eval usage=100*(50+ random()%50+random()%50)
| rename COMMENT as "The above just makes 24 months of data"

...and then either ...

1) make a 1-year graph with two series, one for each year...

| eval Year = strftime(_time,"%Y") 
| eval Month = strftime(_time,"%m %b") 
| eval _time = if(Year="2014", relative_time(_time,"+1y"),_time)
| chart sum(usage) over Month by Year

... or ...

2) make a single 2-year graph ...

| timechart sum(usage) by Year
| where _time=86400*floor(_time/86400)

The last part is to get rid of some garbage records that timechart has been adding onto the end lately

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...