timechart with calculated field

dbautist · ‎02-13-2013

I have two separate searches and I want to display the results in 1 timechart with a calculated field.

"searchA" | timechart span=1d count AS SEARCH_A

             SEARCH_A

2/12/2013 5

2/13/2013 4

"totalSearch" | timechart span=1d count as TOTAL_SEARCH

             TOTAL_SEARCH

2/12/2013 8
2/13/2013 11

I'm using appendcols but I can't get SEARCH_B to display.

The combined result should be something like:
SEARCH_A SEARCH_B TOTAL_SEARCH
2/12/2013 5 3 8
2/13/2013 4 7 11

lguinn2 · ‎02-14-2013

Is it possible that you forgot to put the search keyword in your subsearch?

Or, try this instead:

"searchA" 
| eval series="Search A" 
| append [ search "totalSearch" | eval series="Search B" ]
| timechart span=1d count by series

Note that the second search is limited to 50,000 events by default. If that is not enough, you could do it this way instead - not as clean, but workable:

"searchA" 
| bucket _time span=1d
| stats count by _time
| eval series="Search A" 
| append [ search "totalSearch" 
    | bucket _time span=1d
    | stats count by _time
    | eval series="Search B" ]
| timechart span=1d sum(count) as Count by series

dbautist · ‎02-14-2013

Yes, I forgot the 'search' inside the subsearch, but I'm still facing the same problem. My issue here is that it's not recognizing the field from the outer search, which I'm using to calculate a value in the subsearch. To make the query clearer:

The SEARCH_B_COUNT is derived from the difference between total count and searchA count, but it's not recognizing the SEARCH_A_COUNT

timechart with calculated field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases