timechart with calculated field

dbautist · ‎02-13-2013

I have two separate searches and I want to display the results in 1 timechart with a calculated field.

"searchA" | timechart span=1d count AS SEARCH_A

             SEARCH_A

2/12/2013 5

2/13/2013 4

"totalSearch" | timechart span=1d count as TOTAL_SEARCH

             TOTAL_SEARCH

2/12/2013 8
2/13/2013 11

I'm using appendcols but I can't get SEARCH_B to display.

The combined result should be something like:
SEARCH_A SEARCH_B TOTAL_SEARCH
2/12/2013 5 3 8
2/13/2013 4 7 11

lguinn2 · ‎02-14-2013

Is it possible that you forgot to put the search keyword in your subsearch?

Or, try this instead:

"searchA" 
| eval series="Search A" 
| append [ search "totalSearch" | eval series="Search B" ]
| timechart span=1d count by series

Note that the second search is limited to 50,000 events by default. If that is not enough, you could do it this way instead - not as clean, but workable:

"searchA" 
| bucket _time span=1d
| stats count by _time
| eval series="Search A" 
| append [ search "totalSearch" 
    | bucket _time span=1d
    | stats count by _time
    | eval series="Search B" ]
| timechart span=1d sum(count) as Count by series

dbautist · ‎02-14-2013

Yes, I forgot the 'search' inside the subsearch, but I'm still facing the same problem. My issue here is that it's not recognizing the field from the outer search, which I'm using to calculate a value in the subsearch. To make the query clearer:

The SEARCH_B_COUNT is derived from the difference between total count and searchA count, but it's not recognizing the SEARCH_A_COUNT

timechart with calculated field

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!