I have attached the screenshot of those two charts I have made for reference. One workaround would be to have a single base search which merges search for both the base search and use that combined based search in your panel. 2) fields - total sort -count table Realm utilization count Percent rename. Query 2: "index=fin_mng |convert num("Other Expenses") as Other_Expenses | convert num("Travelling Expenses") as Travelling_Expenses | convert num("Employee Benefit Expenses") as Employee_Benefit_Expenses|convert num("Depreciation and Amortisation expense") as Depreciation_Amortisation_expense|convert num("Expenditure") as Expenditure| fillnull value=0|eval TotalExpenses= (Other_Expenses + Travelling_Expenses + Employee_Benefit_Expenses+Depreciation_Amortisation_expense+Expenditure)*(-1)| chart sum(TotalExpenses) as "Total Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year" *Query 1: "index=fin_mng | convert num("Income from Operations") as income_oper | convert num("Other Income") as other_income | convert num("Other Income _ Miscellaneous Income") as misc_income|fillnull value=0|eval TotalIncome= income_oper + other_income + misc_income|chart sum(TotalIncome) as "Total Expenses" over source by Company_name |replace 2011-2012.csv with 2011-2012 2012-2013.csv with 2012-2013 2013-2014.csv with 2013-2014 2014-2015.csv with 2014-2015 2015-2016.csv with 2015-2016 | rename source as Year" If that is the case, then you can try as below: indexSearchA indexSearchBfields CommonField as searchformattable SearchAFields. Note: Using - instead of html tag as it is not. Looking at your example, you are not joining two searches, you are filtering one search with common fields from other search. Filtering search query likely Productname 'Chrome' OR Productname'Skype'. no of Chrome, Mozilla, Skype, etc in different panels. Here are the queries of those two charts: With the help of base search, I want to prepare a dashboard where can get the display of different applications installed in the network respectively. The line graph may overlap on the columnar chart. I want them to be as they are but in a single chart instead of two different charts. indexsomeindex queryType'ts' filename RECON status1 dedup filename rename filename as Weekly join queryType search indexsomeindex queryType'ts' filename PNASC. One is a column chart and another one is a line chart.But I would like to have these 2 charts(column chart and line graph) in the same chart. both the above queries work individually but when joined as below. Or, you know, adding a non-loadjob multiple base search capability.I have made two charts based on two different search queries. the fact that Splunk is a billion-dollar company that cannot put BUTTONS (or single-value checkboxes, mostly) on its SimpleXML dashboards. Why don't you just remove the capability if you don't want people to use it.? I think Splunk would be better suited to, instead of taking the money I pay and using it to police my downvoting, to use that money to fix issues, e.g. Just trying to contribute to the community. I want to display the user names who does not triggers any request in the 2nd search. Now in my 1st search I have a username and in the 2nd search I see if the user goes through that request. Honestly, SA downvoting is so ridiculously policed and also inconsistent with the entire internet. Hi, I have 2 searches which i need to join using a common field let's say uniqueId. A value of 2 (default) means that Cribl Stream will retry after 2 seconds, then 4 seconds, then 8. Since downvoting doesn't actually remove the answer, the net positive of downvoting is more robust communal knowledge, and the net positive of not downvoting is, well, zero. Collect and replay data from Splunk queries. Otherwise people like me see the answer, assume it's accurate, and stop exploring avenues to fixing the problem because they've been told they can't fix it. It's not a slight to the person who posted it (isn't this how all internet forums work? a downvote isn't necessarily a personal slight? it's for the accuracy of communal knowledge?). Find events around the same time (+/- 10 seconds) around each event of the main search. I think downvoting solutions that say "sorry, you can't solve this problem" when they are no longer correct is extremely helpful to the community. Hi, cant seem to get what Im looking for working. And yes tangentially, the question literally says " multiple base searches" in the title. However, in this case the answer was not "here's an answer that works for version X" or "you can't do this in version X and below" (in which case downvoting would have been incorrect) but the answer was "there is not a solution to this problem (and here's a tangentially related workaround)", which is now wholly incorrect no matter what logical framework you use. I mean, I agree, you should not downvote an answer that works for some versions but not for others.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |