Solved: Re: How to overlay two searches on the same chart ...

hlarimer · ‎11-18-2014

I have 2 searches and would like to overlay them on the same chart. The first creates a stacked column chart:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType

The second creates a line graph:
index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count

Any way to simply overlay these in Splunk 6.1 or 6.2?

martin_mueller · ‎11-18-2014

Without the dedup I'd throw them into one simple search, with the dedup I'd fall back to pesky appendcols:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
| appendcols
  [index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count as Status_Resolved]

Set the line overlay to show the StatusResolved field.

View solution in original post

martin_mueller · ‎11-18-2014

Without the dedup I'd throw them into one simple search, with the dedup I'd fall back to pesky appendcols:

index=av_log sourcetype=sophos_threat_events | dedup ComputerName FullFilePath | timechart count by ThreatType
| appendcols
  [index=av_log sourcetype=sophos_threat_events Status = Resolved | dedup ComputerName FullFilePath | timechart count as Status_Resolved]

Set the line overlay to show the StatusResolved field.

hlarimer · ‎11-18-2014

Thanks Martin, I just had to add "search" after the first "[" and it worked great.

martin_mueller · ‎11-18-2014

Ooooops 😄

How to overlay two searches on the same chart in Splunk 6.1 or 6.2?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases