Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Appendcols Invalid Timestamp of Subsearch

Matthias_BY
Communicator
‎07-09-2013 08:15 AM

Hello,

i have two searches:

Search 1: something | timechart max(xyz)

Search 2: something | timechart count by host

now i want to show both in one time chart. 

something | timechart max(xyz) | appendcols [search something | timechart count by host]

if i search only for the last 8 hours i get the proper timechart. but if i select last 24 hours or "today" i receive a chart which has on the left side search one and on the right side search 2. if i do a mouse over from search 2 i get "invalid timestamp" but still the sizing is right but side by side...

what i'm doing wrong?

thanks a lot
Matthias

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎07-09-2013 09:07 AM

You should try using stats before timechart. Here my swag at it, but I not sure what your intent is. Play with these examples 



something | stats max(xyz) as value by _time | join _time [ search something | stats count as value by host,_time] | timechart value by host

OR

something | stats max(xyz) as value by _time | append [ search something | stats count as value by host,_time] | timechart value by host

Hope this gives you some ideas. Also try reading EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE

View solution in original post

Reply
Solved! Jump to solution

Matthias_BY
Communicator
‎07-10-2013 02:30 AM

What i want to do?

Use Case: Visualize in one Timechart if Issues in my IT Enviornment impact sales numbers.

alt text

Br
Matthias

0 Karma
Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎07-09-2013 09:07 AM

You should try using stats before timechart. Here my swag at it, but I not sure what your intent is. Play with these examples 



something | stats max(xyz) as value by _time | join _time [ search something | stats count as value by host,_time] | timechart value by host

OR

something | stats max(xyz) as value by _time | append [ search something | stats count as value by host,_time] | timechart value by host

Hope this gives you some ideas. Also try reading EXPLORING SPLUNK: SEARCH PROCESSING LANGUAGE

Reply
Solved! Jump to solution

bmacias84
Champion
‎07-10-2013 07:40 AM

My suggestion is to use advanced xml with jscharting or use the AppFramework with your own charting library.

http://docs.splunk.com/Documentation/Splunk/latest/Viz/CustomChartingConfig-Overview

http://dev.splunk.com/view/new-app-framework-preview/SP-CAAAEMA

0 Karma
Reply
Solved! Jump to solution

Matthias_BY
Communicator
‎07-10-2013 02:24 AM

Hi,

timechart value by host

is not working - timechart needs a function is there written...

but i tink i do not need timechart function because everything before allows me already to create a timechart in my environment:

index="oidemo" planPrice | stats max(planPrice) as MaxPrice by _time | join _time [ search Error | stats count as value by _time]

thanks a lot for your support

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...