https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534295#M8664 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229941">@appusplunk14</a>&nbsp;What's&nbsp;<SPAN>peakTime?</SPAN></P><P><SPAN><STRONG>untable</STRONG> is need for second <STRONG>timechart</STRONG>.</SPAN></P> Tue, 29 Dec 2020 02:26:04 GMT to4kawa 2020-12-29T02:26:04Z https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534274#M8661 <P>Team,</P><P>i would like to generate TPS based on two different search criteria but both has to run single report and should be populate both TPS values in single report.</P><P>Query 1:</P><P>index=abc "String 1"<BR />| bin _time span=1s<BR />| chart count as TPS by _time<BR />| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h</P><P>Query 2:</P><P>index=abc "String1" OR "String 2"<BR />| bin _time span=1s<BR />| chart count as TPS by _time<BR />| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h</P><P>&nbsp;</P><P>Here query 1 finds TPS and Peak TPS based on one particular string and query 2 find TPS , Peak TPS based on string which i used on query 1 and another string on top of it. Now i would like to get merge both of then in single query so that one single report is enough for providing metrics</P> Mon, 28 Dec 2020 21:08:28 GMT https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534274#M8661 appusplunk14 2020-12-28T21:08:28Z https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534290#M8662 <P>sample:</P><LI-CODE lang="markup">index=_internal "splunkd" OR "sourcetype" | eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype") | bin _time span=1s | chart count as TPS by _time matches | untable _time matches TPS | timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches</LI-CODE> Tue, 29 Dec 2020 00:33:40 GMT https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534290#M8662 to4kawa 2020-12-29T00:33:40Z https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534294#M8663 <P>thank you , its working&nbsp; good but i would like to include peakTime for both different search criteria , how do i do that? and what exactly untable means ? why are we using untable in this requirement?&nbsp;</P> Tue, 29 Dec 2020 02:03:17 GMT https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534294#M8663 appusplunk14 2020-12-29T02:03:17Z https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534295#M8664 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/229941">@appusplunk14</a>&nbsp;What's&nbsp;<SPAN>peakTime?</SPAN></P><P><SPAN><STRONG>untable</STRONG> is need for second <STRONG>timechart</STRONG>.</SPAN></P> Tue, 29 Dec 2020 02:26:04 GMT https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534295#M8664 to4kawa 2020-12-29T02:26:04Z https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534373#M8665 <P>consider if i see peak TPS at 08:00 AM MST then i would like to print time stamp for that duration.&nbsp;</P> Tue, 29 Dec 2020 15:40:59 GMT https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534373#M8665 appusplunk14 2020-12-29T15:40:59Z https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534394#M8666 <P>Your first query didn't give us such a number, did it?<BR />I can't create something out of thin air.</P> Tue, 29 Dec 2020 21:59:34 GMT https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534394#M8666 to4kawa 2020-12-29T21:59:34Z https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534581#M8668 <P>given query is displaying data like below:</P><P>2020-12-31 10:00 108.77 56.91 1835 143<BR />2020-12-31 11:00 109.00 54.49 2167 119<BR />2020-12-31 12:00 110.47 56.49 1823 131</P><P>as i said we want to display time during which we had high number of events in that hour.</P> Thu, 31 Dec 2020 17:32:35 GMT https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534581#M8668 appusplunk14 2020-12-31T17:32:35Z https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534589#M8669 <LI-CODE lang="markup">index=_internal "splunkd" OR "sourcetype" | eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype") | bin _time span=1s | chart count as TPS by _time matches | untable _time matches TPS | timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches | untable _time tps value | eventstats max(value) as max_TPS by tps | eval high_time=if(max_TPS==value,tps,NULL) | xyseries _time tps value high_time | foreach high* [ eval high_time=mvappend(high_time,'&lt;&lt;FIELD&gt;&gt;')] | rename "value: *" as * | fields - high_time:* | table _time avg* peak* high_time</LI-CODE> Thu, 31 Dec 2020 22:46:29 GMT https://community.splunk.com/t5/Reporting/multiple-splunk-search-queries/m-p/534589#M8669 to4kawa 2020-12-31T22:46:29Z