Dashboards & Visualizations

Combine two queries into a single value

tmurray3
Path Finder

I am trying to develop a dashboard which will display a single value panel. I created the following query:

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
|stats count by host, source 
|stats count
|rangemap field=count low=0-10 elevated=11-100 default=severe

The query returns a single range value of low, elevated or default.

I have another query which returns a single range value as well:

index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m 
| stats count by host, source
|stats count
|rangemap field=count low=0-200 elevated=201-500 default=severe

Now I would like to somehow run the two queries together and return the highest range value status from either query.

For example, if query A range value returned low and query B returned severe, I would like to return only the the severe value.

Is there a way to run two queries and then evaluate the range value to return a single value?

Thanks in advance for your help!!

Tags (1)
0 Karma

tmurray3
Path Finder

Thanks that worked as planned.

0 Karma

Ayn
Legend

Great! Could you please mark my answer as accepted? That way it's easier to keep track of what issues are solved or not on the site.

0 Karma

Ayn
Legend

How about using append and then grab just the highest value from the two search results?

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
| stats count by host, source 
| stats count|rangemap field=count low=0-10 elevated=11-100 default=severe
| append
  [search index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m
   | stats count by host, source
   | stats count
   | rangemap field=count low=0-200 elevated=201-500 default=severe]
| sort -count
| head 1

dwaddle
SplunkTrust
SplunkTrust

Another option might be to use eventtypes. Define an eventtype for each option, then you can do a single count by eventtype,host,source

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...