https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86738#M22122 <P>I have two search string:<BR /> index=os source=Perfmon:LocalMainMemory <BR /> | where like(counter,"% Committed Bytes In Use")<BR /> | stats avg(Value) as "avgMemPct", max(Value) as "peakMemPct" by host</P> <P>index=os sourcetype=Perfmon:LocalProcessor <BR /> | where like(counter,"% Processor Time")<BR /> | stats avg(Value) as "avgCpuPct", max(Value) as "peakCpuPct" by host</P> <P>How to merge these two with out using JOIN. We can use OR.<BR /> I have tried <BR /> index=os source=Perfmon:LocalMainMemory OR sourcetype=Perfmon:LocalProcessor <BR /> | where like(counter,"% Committed Bytes In Use")<BR /> | where like(counter,"% Processor Time")<BR /> | stats avg(Value) as "avgMemPct", max(Value) as "peakMemPct" avg(Value1) as "avgCpuPct", max(Value1) as "peakCpuPct" by host</P> <P>But is it not giving any value. Looks like I cannot use Value1. Can anyone help me!!</P> Mon, 14 Jan 2013 19:37:52 GMT Splunk_U 2013-01-14T19:37:52Z https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86738#M22122 <P>I have two search string:<BR /> index=os source=Perfmon:LocalMainMemory <BR /> | where like(counter,"% Committed Bytes In Use")<BR /> | stats avg(Value) as "avgMemPct", max(Value) as "peakMemPct" by host</P> <P>index=os sourcetype=Perfmon:LocalProcessor <BR /> | where like(counter,"% Processor Time")<BR /> | stats avg(Value) as "avgCpuPct", max(Value) as "peakCpuPct" by host</P> <P>How to merge these two with out using JOIN. We can use OR.<BR /> I have tried <BR /> index=os source=Perfmon:LocalMainMemory OR sourcetype=Perfmon:LocalProcessor <BR /> | where like(counter,"% Committed Bytes In Use")<BR /> | where like(counter,"% Processor Time")<BR /> | stats avg(Value) as "avgMemPct", max(Value) as "peakMemPct" avg(Value1) as "avgCpuPct", max(Value1) as "peakCpuPct" by host</P> <P>But is it not giving any value. Looks like I cannot use Value1. Can anyone help me!!</P> Mon, 14 Jan 2013 19:37:52 GMT https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86738#M22122 Splunk_U 2013-01-14T19:37:52Z https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86739#M22123 <P>That will not work. The first 'where' will filter out all but events with 'committed bytes', and the second will filter out all events but those that have 'processor time'. which will be none. </P> <P>Try doing something like this instead;</P> <PRE><CODE>index=x sourcetype=y OR sourcetype=z counter="*Processor Time" OR counter = "*Committed bytes*" | stats avg(Value) max(Value) by counter, host </CODE></PRE> <P>Hope this helps,</P> <P>Kristian</P> Mon, 14 Jan 2013 22:06:12 GMT https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86739#M22123 kristian_kolb 2013-01-14T22:06:12Z https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86740#M22124 <P>So is there no way of merging these two strings with OR..rght??</P> Mon, 14 Jan 2013 22:19:00 GMT https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86740#M22124 Splunk_U 2013-01-14T22:19:00Z https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86741#M22125 <P>Did you even try the suggestion? How do you 'read' the search? What does it do? OR?</P> Tue, 15 Jan 2013 07:44:25 GMT https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86741#M22125 kristian_kolb 2013-01-15T07:44:25Z https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86742#M22126 <P>I have also tried:<BR /> index=os source=Perfmon:LocalMainMemory OR sourcetype=Perfmon:LocalProcessor <BR /> | where like(counter,"% Committed Bytes In Use")<BR /> | eval CommittedBytes=Value<BR /> | where like(counter,"% Processor Time")<BR /> | eval ProcessorTime=Value<BR /> | stats avg(CommittedBytes) as "avgMemPct", max(CommittedBytes) as "peakMemPct" avg(ProcessorTime) as "avgCpuPct", max(ProcessorTime) as "peakCpuPct" by host but not working</P> Tue, 15 Jan 2013 13:35:16 GMT https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86742#M22126 Splunk_U 2013-01-15T13:35:16Z https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86743#M22127 <P>Kristian.. I have tried with your suggestion but it is giving the data in the format I want it to be. I need the data should come one row per host.It is not providing that</P> Tue, 15 Jan 2013 21:02:04 GMT https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86743#M22127 Splunk_U 2013-01-15T21:02:04Z https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86744#M22128 <P>Then have a look at the <CODE>chart</CODE> command.</P> <P>With 'chart blah blah over X by Y', you get the results on different axes.. axis? axises??</P> Tue, 15 Jan 2013 22:44:19 GMT https://community.splunk.com/t5/Splunk-Search/merging-two-search-strings/m-p/86744#M22128 kristian_kolb 2013-01-15T22:44:19Z