Dashboards & Visualizations

Can you help me display 2 different fields from a search and a subsearch in the same line?

jip31
Motivator

Hello

I want to display in the same line of my table the fields FullChargedCapacity DesignedCapacity by host.

Actually, I have a line for FullChargedCapacity and a line for DesignedCapacity.

I think I have to do a stats values somewhere but I'm not succeeding.

Could you help me please??

index="windows-wmi"  sourcetype="WMI:BatteryFull"
| append  [ search index="windows-wmi"  sourcetype="wmi:BatteryStatic" ]
|table _time host FullChargedCapacity DesignedCapacity
Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Try this:

index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic" 
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host

View solution in original post

0 Karma

macadminrohit
Contributor
| makeresults 
| eval Event1="xyz;1" 
| makemv Event1 delim=";" 
| eval host=mvindex(Event1,0) 
| eval FullChargedCapacity=mvindex(Event1,1) 
| append 
    [| makeresults 
    | eval Event2="xyz;2" 
    | makemv Event2 delim=";" 
    | eval host=mvindex(Event2,0) 
    | eval DesignedCapacity=mvindex(Event2,1) ] | table DesignedCapacity FullChargedCapacity host | stats values(DesignedCapacity) values(FullChargedCapacity) by host
0 Karma

woodcock
Esteemed Legend

Try this:

index="windows-wmi" sourcetype="WMI:BatteryFull" OR sourcetype="wmi:BatteryStatic" 
| stats first(FullChargedCapacity) AS FullChargedCapacity first(DesignedCapacity) AS DesignedCapacity first(_time) AS _time BY host
0 Karma

jip31
Motivator

hi it's good but is it possible to have all the events instead the last event??

0 Karma

woodcock
Esteemed Legend

Change first to list or values.

0 Karma

adonio
Ultra Champion

try this:

index="windows-wmi"  sourcetype="WMI:BatteryFull"  OR  sourcetype="wmi:BatteryStatic" 
|table _time host FullChargedCapacity DesignedCapacity
0 Karma

jip31
Motivator

its the same thing because the timestamp for FullChargedCapacity and for DesignedCapacity is each time a little different
example :
2018-11-24 06:06:20.301 for FullChargedCapacity
2018-11-24 06:06:20.088 for DesignedCapacity

0 Karma

jip31
Motivator

I have done this but there is a shift when the time is not exactly the same

index="windows-wmi"  sourcetype="WMI:BatteryFull"  OR  sourcetype="wmi:BatteryStatic" | eval time = strftime(_time, "%m/%d/%Y %H:%M:%S")
|stats values(FullChargedCapacity) as FullChargedCapacity, values(DesignedCapacity) as DesignedCapacity BY host, time

https://cjoint.com/c/HKyiGGrMOXd

0 Karma

adonio
Ultra Champion

each event has its own timestamp, what is your final goal?
you can use the | filldown command to append the null results to each of the lines

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...