topic Re: Show a chart based on host found in another search in Splunk Search

Show a chart based on host found in another search

chadman — Thu, 21 Jul 2016 16:02:24 GMT

Ok, So I have two searches that work great. One will find computers with slow ping times. The other will create a chart of the ping times based on one host name. I would like somehow combine these two search's, but not sure how to do it. I would like my end result to be a chart that shows all the computers with slow ping times on one chart that plots there ping times.

Here is a search I use to grab the computers I would like to chart.

sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host,Count

And here is the chart I use to for one computer.

sourcetype="search1" host=$desktop$ | timechart avg(internal_time) as "Ping Time"

Re: Show a chart based on host found in another search

sundareshr — Thu, 21 Jul 2016 16:08:30 GMT

How about this?

sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3

Re: Show a chart based on host found in another search

somesoni2 — Thu, 21 Jul 2016 16:21:21 GMT

Suggestion - it's always better to specify the index name. You can see the difference just by adding the index name to your searches.

Try this

index=yourindex sourcetype="search1" [search index=yourindex sourcetype="search1" earliest=-15m internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) as "Ping Time" by host

Re: Show a chart based on host found in another search

chadman — Thu, 21 Jul 2016 16:59:00 GMT

Thanks worked great!

Re: Show a chart based on host found in another search

chadman — Thu, 21 Jul 2016 17:13:00 GMT

Thanks for the tip! You solution also did what I was looking for. I was trying you approach at first, but could not get the syntax correct.

Re: Show a chart based on host found in another search

woodcock — Thu, 21 Jul 2016 18:04:34 GMT

Like this:

index=blah sourcetype="search1" [index=blah sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) AS "Ping Time" BY host