Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Appendcols Invalid Timestamp of Subsearch

Matthias_BY
Communicator
‎07-09-2013 08:15 AM

Hello,

i have two searches:

Search 1: something | timechart max(xyz)

Search 2: something | timechart count by host

now i want to show both in one time chart. 

something | timechart max(xyz) | appendcols [search something | timechart count by host]

if i search only for the last 8 hours i get the proper timechart. but if i select last 24 hours or "today" i receive a chart which has on the left side search one and on the right side search 2. if i do a mouse over from search 2 i get "invalid timestamp" but still the sizing is right but side by side...

what i'm doing wrong?

thanks a lot
Matthias

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎07-09-2013 09:07 AM

You should try using stats before timechart. Here my swag at it, but I not sure what your intent is. Play with these examples 



something | stats max(xyz) as value by _time | join _time [ search something | stats count as value by host,_time] | timechart value by host

OR

something | stats max(xyz) as value by _time | append [ search something | stats count as value by host,_time] | timechart value by host

Hope this gives you some ideas. Also try reading EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE

View solution in original post

Reply
Solved! Jump to solution

Matthias_BY
Communicator
‎07-10-2013 02:30 AM

What i want to do?

Use Case: Visualize in one Timechart if Issues in my IT Enviornment impact sales numbers.

alt text

Br
Matthias

0 Karma
Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎07-09-2013 09:07 AM

You should try using stats before timechart. Here my swag at it, but I not sure what your intent is. Play with these examples 



something | stats max(xyz) as value by _time | join _time [ search something | stats count as value by host,_time] | timechart value by host

OR

something | stats max(xyz) as value by _time | append [ search something | stats count as value by host,_time] | timechart value by host

Hope this gives you some ideas. Also try reading EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE

Reply
Solved! Jump to solution

bmacias84
Champion
‎07-10-2013 07:40 AM

My suggestion is to use advanced xml with jscharting or use the AppFramework with your own charting library.

http://docs.splunk.com/Documentation/Splunk/latest/Viz/CustomChartingConfig-Overview

http://dev.splunk.com/view/new-app-framework-preview/SP-CAAAEMA

0 Karma
Reply
Solved! Jump to solution

Matthias_BY
Communicator
‎07-10-2013 02:24 AM

Hi,

timechart value by host

is not working - timechart needs a function is there written...

but i tink i do not need timechart function because everything before allows me already to create a timechart in my environment:

index="oidemo" planPrice | stats max(planPrice) as MaxPrice by _time | join _time [ search Error | stats count as value by _time]

thanks a lot for your support

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...