Multiple searches on one chart

ericrobinson · ‎09-01-2010

Is it possible to have multiple search results represented on one chart? I have (2) searches defined that extract and return results. I want to coorelate these result sets on the same chart. Is that possible?

southeringtonp · ‎09-01-2010

Not directly.

You need to combine the two searches into a single search, but each search should have some field that is consistent across all results. This may be as simple as an OR clause, e.g.:

(host=foo) OR (host=bar)

In that case, you can split your chart by series "host".

In more complex scenarios, you might need to resort to something like append to merge the two searches -- then you can artificially add the identifying field, like so:

host=foo | eval series=SearchNumberOne | append [ search host=bar | eval series=SearchNumberTwo ]

This should give you a field called "searchname" in all results -- in your chart, you can then split on "series" to get both distinct datasets.

For more information you might want to refer to How Subsearches Work in the docs, and look for the append and set commands in particular.

Finally, I don't think that charting will let you split by multiple fields. If it won't, and you need that, you can also get creative with eval and string concatenation to generate a new composite field, and split your series on that, e.g.:

| eval series="SearchNumberOne - "+src_ip

motobeats · ‎07-03-2013

But does work when I enclose the string in quotes (i.e. "SearchNumberTwo")

motobeats · ‎07-03-2013

This didn't work for me. I do not see a field called "searchname" when I do fieldsummary

gkanapathy · ‎09-30-2010

More detail on graphing multiple split-by fields: http://www.splunk.com/base/Documentation/4.1.5/User/ReportOfMultipleDataSeries

Multiple searches on one chart

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes