https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results/m-p/513426#M144046 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;. My query with your suggestions works now.&nbsp;</P> Mon, 10 Aug 2020 20:11:18 GMT skavuri11 2020-08-10T20:11:18Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results/m-p/513395#M144037 <P>I am new to Splunk. I have the logs in the following format for our servers.&nbsp;</P><UL><LI>Host, CPU, %USAGE</LI><LI>Host, Memory, %Usage</LI><LI>Host, Load Average, % USAGE</LI><LI>Host, Swapping, %Usage</LI></UL><P>I need to create a query to display the results in the following format.&nbsp;</P><UL><LI>HOST, CPU Avg Usage, Memory Avg Usage, Load Avg Usage, Swapping Avg Usage</LI></UL><P>My query below is printing the same value for each of fields. Ex: it prints the same cpu value for all the rows. Any suggestions on the query?</P><DIV><PRE> index = index1 sourcetype=.... source=... | eval cpu_usage = [search index = ... sourcetype=... source=* | search metric_name=CPU_Utilization | stats avg(Usage) as "CPU_Usage" by host_name | return $CPU_Usage ] | eval memory_usage = [search index = ... sourcetype=... source=* | search metric_name=Memory_Utilization | stats avg(Usage) as "Memory_Usage" by host_name | return $Memory_Usage ] | eval load_usage = [search index = ... sourcetype=... source=* | search metric_name=Load_Utilization | stats avg(Usage) as "Load_Usage" by host_name | return $Load_Usage ] | eval swapping_usage = [search index = ... sourcetype=... source=* | search metric_name=Swapping_Utilization | stats avg(Usage) as "Swapping_Usage" by host_name | return $Swapping_Usage ] | stats values(cpu_usage) as "CPU Utilization", values(memory_usage) as "Memory Utilization", values(load_usage) as "Load Utilization", values(swapping_usage) as "Swapping Utilization" by host_name</PRE></DIV> Mon, 10 Aug 2020 16:21:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results/m-p/513395#M144037 skavuri11 2020-08-10T16:21:34Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results/m-p/513417#M144045 <P>Hi</P><P>please try the next:</P><P>&nbsp;</P><LI-CODE lang="java">index=_internal | head 1 | eval _raw = "Host, metric_name, usage f1, CPU, 10 f1, mem, 11 f1, mem, 12 f1, swap, 0 f1, load, 10 f1, load, 5 f1, CPU, 1" | multikv forceheader=1 | makemv metric_name | rename COMMENTS as "Previous prepare sample data" | eval {metric_name} = usage | stats avg(CPU) as aCPU avg(load) as aLoad avg(mem) as aMem avg(swap) as aSwap by Host</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>Here I suppose that you have field names: Host, metric_name, usage in your events.&nbsp;</P><P>Last two rows do the logic:</P><UL><LI>create new field name value of metric_name (CPU, men, swap or load) and assign usage% to it</LI><LI>stats just count averages by Host&nbsp;</LI></UL><P>r. Ismo</P> Mon, 10 Aug 2020 18:43:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results/m-p/513417#M144045 isoutamo 2020-08-10T18:43:58Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results/m-p/513426#M144046 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>&nbsp;. My query with your suggestions works now.&nbsp;</P> Mon, 10 Aug 2020 20:11:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-the-results/m-p/513426#M144046 skavuri11 2020-08-10T20:11:18Z