Solved: Timechart, 2nd field value on the chart

dfofie · ‎10-22-2018

I have a timechart,

But I've liked to display another field value directly on one chart line. (see the picture)

This is the query I'm using:
index="testing_cc_ps" sourcetype="prc_l4_rqmt_progress" | eval newTime=strptime(date, "%Y-%m-%d") | eval _time=newTime | table _time, type, value | timechart span=1d values(value) by type usenull=false useother=f
The is a third field called Milestone, is it any possibility to write a query that can also plot those milestone on the chart ?
Best regards.

kmaron · ‎10-23-2018

try the appendcols command: https://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Appendcols

index="testing_cc_ps" sourcetype="prc_l4_rqmt_progress" 
| eval newTime=strptime(date, "%Y-%m-%d") 
| eval _time=newTime 
| table _time, type, value 
| timechart span=1d values(value) by type usenull=false useother=f
| appendcols [search (base search stuff) | timechart for milestones]

View solution in original post

kmaron · ‎10-23-2018

try the appendcols command: https://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/Appendcols

index="testing_cc_ps" sourcetype="prc_l4_rqmt_progress" 
| eval newTime=strptime(date, "%Y-%m-%d") 
| eval _time=newTime 
| table _time, type, value 
| timechart span=1d values(value) by type usenull=false useother=f
| appendcols [search (base search stuff) | timechart for milestones]

Timechart, 2nd field value on the chart

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk