Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Combine two queries into a single value

tmurray3
Path Finder
‎09-20-2011 12:50 PM

I am trying to develop a dashboard which will display a single value panel. I created the following query:

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
|stats count by host, source 
|stats count
|rangemap field=count low=0-10 elevated=11-100 default=severe

The query returns a single range value of low, elevated or default.

I have another query which returns a single range value as well:

index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m 
| stats count by host, source
|stats count
|rangemap field=count low=0-200 elevated=201-500 default=severe

Now I would like to somehow run the two queries together and return the highest range value status from either query.

For example, if query A range value returned low and query B returned severe, I would like to return only the the severe value.

Is there a way to run two queries and then evaluate the range value to return a single value?

Thanks in advance for your help!!

Tags (1)
0 Karma
Reply

tmurray3
Path Finder
‎09-21-2011 05:15 AM

Thanks that worked as planned.

0 Karma
Reply

Ayn
Legend
‎09-21-2011 07:12 AM

Great! Could you please mark my answer as accepted? That way it's easier to keep track of what issues are solved or not on the site.

0 Karma
Reply

Ayn
Legend
‎09-20-2011 01:58 PM

How about using append and then grab just the highest value from the two search results?

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
| stats count by host, source 
| stats count|rangemap field=count low=0-10 elevated=11-100 default=severe
| append
  [search index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m
   | stats count by host, source
   | stats count
   | rangemap field=count low=0-200 elevated=201-500 default=severe]
| sort -count
| head 1
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-20-2011 06:46 PM

Another option might be to use eventtypes. Define an eventtype for each option, then you can do a single count by eventtype,host,source

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...