Dashboards & Visualizations

Combine two queries into a single value

tmurray3
Path Finder

I am trying to develop a dashboard which will display a single value panel. I created the following query:

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
|stats count by host, source 
|stats count
|rangemap field=count low=0-10 elevated=11-100 default=severe

The query returns a single range value of low, elevated or default.

I have another query which returns a single range value as well:

index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m 
| stats count by host, source
|stats count
|rangemap field=count low=0-200 elevated=201-500 default=severe

Now I would like to somehow run the two queries together and return the highest range value status from either query.

For example, if query A range value returned low and query B returned severe, I would like to return only the the severe value.

Is there a way to run two queries and then evaluate the range value to return a single value?

Thanks in advance for your help!!

Tags (1)
0 Karma

tmurray3
Path Finder

Thanks that worked as planned.

0 Karma

Ayn
Legend

Great! Could you please mark my answer as accepted? That way it's easier to keep track of what issues are solved or not on the site.

0 Karma

Ayn
Legend

How about using append and then grab just the highest value from the two search results?

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
| stats count by host, source 
| stats count|rangemap field=count low=0-10 elevated=11-100 default=severe
| append
  [search index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m
   | stats count by host, source
   | stats count
   | rangemap field=count low=0-200 elevated=201-500 default=severe]
| sort -count
| head 1

dwaddle
SplunkTrust
SplunkTrust

Another option might be to use eventtypes. Define an eventtype for each option, then you can do a single count by eventtype,host,source

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...