Archive

How To Join Results From Multiple Searches

Explorer

I'm trying to create a simple control chart (where I show a line 3 standard deviations away from the mean). I just need to calculate what the standard deviation is for my entire set of data, multiply by 3 and plot the line along with my data.

Originally I tried to use a pivot because I used DataSets for speed but eventually gave up.

Now I'm trying the search syntax and it appears like the "append" command is what I need.

host=serverName sourcetype=httpaccesslog | append [search host=serverName sourcetype=httpaccesslog | stats stdev(ResponseTime) as TotalStdDev] | table _time host ResponseTime TotalStdDev

I'm just trying to generate a simple table to start with that has the TotalStdDev copied for each entry. Maybe then I can start aggregating based on days. But I can't even get the total standard deviation for the entire data set into my table.

Any suggestions out there?
Thanks,

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Give this a try

host=serverName sourcetype=http_access_log | eventstats stdev(ResponseTime) as TotalStdDev | table _time host ResponseTime TotalStdDev

View solution in original post

SplunkTrust
SplunkTrust

Give this a try

host=serverName sourcetype=http_access_log | eventstats stdev(ResponseTime) as TotalStdDev | table _time host ResponseTime TotalStdDev

View solution in original post

Explorer

Nice! Thanks MuS and somesoni2!
I went with the eventstats option. It works beautifully.

0 Karma

SplunkTrust
SplunkTrust

Hi theironcook,

take a look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... it provides some examples how it can be done. The answer is not limited to two source ... it can be applied to endless events.

Hope this helps ...

cheers, MuS