https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43003#M10112 <P>Hi there! It appears that you can get your information without needing a subsearch, but you'll need to use some <STRONG>stats</STRONG> and <STRONG>eval</STRONG> magic with <STRONG>relative time</STRONG>. Basically, you'll perform one search that has all of the data you need, then use stats to average by host and eval your report key at the same time. Try the following, be sure to substitute "value" with the field name you want to use for the average:</P> <PRE><CODE>index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-2month@month latest=-0month@month | fields _time value host | stats avg(eval(if(relative_time(_time,"@mon")=relative_time(now(),"-1mon@mon"),value,NULL))) AS "Laatste maand" avg(eval(if(relative_time(_time,"@mon")=relative_time(now(),"-2mon@mon"),value,NULL))) AS "Voorlaatste maand" by host </CODE></PRE> <P>The <STRONG>relative_time</STRONG> function in the eval statement compares the month in each event to the month it's looking for (either last month or the month before), which is a really handy little feature. Each eval statment basically says "if the month I'm looking for and the month of the event are equal, add the value to the average calculation for this column." I also added a <STRONG>fields</STRONG> section to your search to speed things up. I hope this helps, or is along the lines of what you're looking for.</P> Thu, 22 Aug 2013 17:37:30 GMT wpreston 2013-08-22T17:37:30Z https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43001#M10110 <P>Hello, newbie here...</P> <PRE><CODE>index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-1month@month latest=-0month@month | stats avg(value) by host </CODE></PRE> <P>When I execute this search I get about 350.000 matching events and 40 results which I expect since I have 40 servers.<BR /> Now I want to compare this result with that from the month before so I constructed a search with a subsearch:</P> <PRE><CODE>index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-2month@month latest=-1month@month | eval ReportKey="Voorlaatste maand" | append [search index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-1month@month latest=-0month@month | eval ReportKey="Laatste maand" | stats avg(value) by reportkey </CODE></PRE> <P>However executing this search results in "Subsearch produced 50000 results, truncating to maxout 50000". I understand from documentation I shouldn't fiddle with the settings in limits.conf, so:</P> <P>How can I limit the amount of results in my subsearch without losing the information?</P> <P>Thanks in advance for your time.</P> <P>Bert</P> Thu, 22 Aug 2013 06:40:29 GMT https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43001#M10110 BertKraan 2013-08-22T06:40:29Z https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43002#M10111 <P>How about this? appending 2 stats resuls so you don't have to face the limitation of subsearch.</P> <PRE><CODE>index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-2month@month latest=-1month@month | stats avg(value) as avg by host | eval ReportKey="2 month ago" | append [search index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-1month@month latest=@month | stats avg(value) avg by host | eval ReportKey="1 month ago" ] | xyseries host ReportKey avg </CODE></PRE> <P>This search will give you a table, where hosts on Y, ReportKeys on X, and avg(count) on X-Y crossed.</P> Thu, 22 Aug 2013 09:15:55 GMT https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43002#M10111 melonman 2013-08-22T09:15:55Z https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43003#M10112 <P>Hi there! It appears that you can get your information without needing a subsearch, but you'll need to use some <STRONG>stats</STRONG> and <STRONG>eval</STRONG> magic with <STRONG>relative time</STRONG>. Basically, you'll perform one search that has all of the data you need, then use stats to average by host and eval your report key at the same time. Try the following, be sure to substitute "value" with the field name you want to use for the average:</P> <PRE><CODE>index="prd_stats" sourcetype=appman:linux host=foo* attribute=CPUUtilization earliest=-2month@month latest=-0month@month | fields _time value host | stats avg(eval(if(relative_time(_time,"@mon")=relative_time(now(),"-1mon@mon"),value,NULL))) AS "Laatste maand" avg(eval(if(relative_time(_time,"@mon")=relative_time(now(),"-2mon@mon"),value,NULL))) AS "Voorlaatste maand" by host </CODE></PRE> <P>The <STRONG>relative_time</STRONG> function in the eval statement compares the month in each event to the month it's looking for (either last month or the month before), which is a really handy little feature. Each eval statment basically says "if the month I'm looking for and the month of the event are equal, add the value to the average calculation for this column." I also added a <STRONG>fields</STRONG> section to your search to speed things up. I hope this helps, or is along the lines of what you're looking for.</P> Thu, 22 Aug 2013 17:37:30 GMT https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43003#M10112 wpreston 2013-08-22T17:37:30Z https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43004#M10113 <P>This answers my question totally! Thanks, now I'll try to understand the magic of stats, eval and relative time.</P> Mon, 26 Aug 2013 06:11:58 GMT https://community.splunk.com/t5/Splunk-Search/many-results-in-subsearch/m-p/43004#M10113 BertKraan 2013-08-26T06:11:58Z