- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- compare three searches in one timechart by month w...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to display all the searches on single chart. My moto is to compare "first search", "second search", and "third search" in one timechart. Please help me
index="xyz" | timechart count(start_date) by month| rename NULL as "first search"
index="xyz" NOT login_id=0 | timechart count by login_id as "second search"
index="xyz" lead_comp_pct>="70" |search remote_comp_pct>="70" | search NOT login_duration_in_hours=0 | timechart count(start_date) as "third search"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way of doing this is to make use of the eval, append and stats commands. To show them all on the same chart, you need your search results all comparing apples to apples, as it were. You get your search results all in the same format with the necessary fields by using stats and create an arbitrary field using eval to identify each set of results as coming from the appropriate search (or however you want to differentiate them), then append your second and third searches (also using stats for formatting and fields) to your first search's results with append, then report on the final dataset with timechart. See if something like this will work for you:
index="xyz"
| eval SearchNumber="First Search"
| stats count(start_date) by SearchNumber, _time
| append [search index="xyz" NOT login_id=0
| eval SearchNumber="Second Search"
| stats count by SearchNumber, _time]
| append [search index="xyz" lead_comp_pct>=70 remote_comp_pct>=70 NOT login_duration_in_hours=0
| eval SearchNumber="Third Search"
| stats count (start_date) by Search_Number, _time]
| timechart count by SearchNumber span=mon
Modify the search however you need but this should illustrate the concept. I put in extra line breaks here so that the search is more readable, but you probably don't want them in your search bar. Also, I'm sure there are other ways of achieving what you need this but this is what comes to mind.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One way of doing this is to make use of the eval, append and stats commands. To show them all on the same chart, you need your search results all comparing apples to apples, as it were. You get your search results all in the same format with the necessary fields by using stats and create an arbitrary field using eval to identify each set of results as coming from the appropriate search (or however you want to differentiate them), then append your second and third searches (also using stats for formatting and fields) to your first search's results with append, then report on the final dataset with timechart. See if something like this will work for you:
index="xyz"
| eval SearchNumber="First Search"
| stats count(start_date) by SearchNumber, _time
| append [search index="xyz" NOT login_id=0
| eval SearchNumber="Second Search"
| stats count by SearchNumber, _time]
| append [search index="xyz" lead_comp_pct>=70 remote_comp_pct>=70 NOT login_duration_in_hours=0
| eval SearchNumber="Third Search"
| stats count (start_date) by Search_Number, _time]
| timechart count by SearchNumber span=mon
Modify the search however you need but this should illustrate the concept. I put in extra line breaks here so that the search is more readable, but you probably don't want them in your search bar. Also, I'm sure there are other ways of achieving what you need this but this is what comes to mind.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
