Hello,
i have two searches:
Search 1: something | timechart max(xyz)
Search 2: something | timechart count by host
now i want to show both in one time chart.
something | timechart max(xyz) | appendcols [search something | timechart count by host]
if i search only for the last 8 hours i get the proper timechart. but if i select last 24 hours or "today" i receive a chart which has on the left side search one and on the right side search 2. if i do a mouse over from search 2 i get "invalid timestamp" but still the sizing is right but side by side...
what i'm doing wrong?
thanks a lot
Matthias
You should try using stats before timechart. Here my swag at it, but I not sure what your intent is. Play with these examples
something | stats max(xyz) as value by _time | join _time [ search something | stats count as value by host,_time] | timechart value by host
OR
something | stats max(xyz) as value by _time | append [ search something | stats count as value by host,_time] | timechart value by host
Hope this gives you some ideas. Also try reading EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE
What i want to do?
Use Case: Visualize in one Timechart if Issues in my IT Enviornment impact sales numbers.
Br
Matthias
You should try using stats before timechart. Here my swag at it, but I not sure what your intent is. Play with these examples
something | stats max(xyz) as value by _time | join _time [ search something | stats count as value by host,_time] | timechart value by host
OR
something | stats max(xyz) as value by _time | append [ search something | stats count as value by host,_time] | timechart value by host
Hope this gives you some ideas. Also try reading EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE
My suggestion is to use advanced xml with jscharting or use the AppFramework with your own charting library.
http://docs.splunk.com/Documentation/Splunk/latest/Viz/CustomChartingConfig-Overview
http://dev.splunk.com/view/new-app-framework-preview/SP-CAAAEMA
Hi,
timechart value by host
is not working - timechart needs a function is there written...
but i tink i do not need timechart function because everything before allows me already to create a timechart in my environment:
index="oidemo" planPrice | stats max(planPrice) as MaxPrice by _time | join _time [ search Error | stats count as value by _time]
thanks a lot for your support