topic Re: How to write a search to combine the sum of three metric name into one count? in Splunk Search

How to write a search to combine the sum of three metric name into one count?

soulmaker — Wed, 13 Sep 2023 21:24:25 GMT

Hello,

I have three search query below that I want to combine the three metric name sum into one total count. Can someone able to assist how I can write my query?

First Query:
| mstats sum(vault.token.creation.nonprod) as count where index=vault_metrics span=1h
| timechart sum(count) as count span=1h
| fillnull value=0
| eventstats perc90(count) perc50(count)

Second Query:
| mstats sum(vault.token.creation.dev) as count where index=vault_metrics span=1h
| timechart sum(count) as count span=1h
| fillnull value=0
| eventstats perc90(count) perc50(count)

Third Query:
| mstats sum(vault.token.creation.nonprod_preprod) as count where index=vault_metrics span=1h
| timechart sum(count) as count span=1h
| fillnull value=0
| eventstats perc90(count) perc50(count)

Re: How to write a search to combine the sum of three metric name into one count?

bowesmana — Wed, 13 Sep 2023 23:39:48 GMT

You are collecting from the same index, so just put all 3 counts in the same mstats

| mstats sum(vault.token.creation.nonprod) as count_nonprod sum(vault.token.creation.dev) as count_dev sum(vault.token.creation.nonprod_preprod) as count_nonprod_preprod where index=vault_metrics span=1h | addtotals | timechart sum(Total) as Total span=1h | fillnull value=0 | eventstats perc90(Total) as p90_Total perc50(Total) as p50_Total

The addtotals gives you a sume of all the count_* fields into a single new field Total, so then just use that new field total to calculate the percentiles

Re: How to write a search to combine the sum of three metric name into one count?

soulmaker — Wed, 13 Sep 2023 23:49:35 GMT

Thanks @bowesmana , you're a legend!