Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine two queries into a single value

tmurray3
Path Finder
‎09-20-2011 12:50 PM

I am trying to develop a dashboard which will display a single value panel. I created the following query:

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
|stats count by host, source 
|stats count
|rangemap field=count low=0-10 elevated=11-100 default=severe

The query returns a single range value of low, elevated or default.

I have another query which returns a single range value as well:

index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m 
| stats count by host, source
|stats count
|rangemap field=count low=0-200 elevated=201-500 default=severe

Now I would like to somehow run the two queries together and return the highest range value status from either query.

For example, if query A range value returned low and query B returned severe, I would like to return only the the severe value.

Is there a way to run two queries and then evaluate the range value to return a single value?

Thanks in advance for your help!!

Tags (1)
0 Karma
Reply

tmurray3
Path Finder
‎09-21-2011 05:15 AM

Thanks that worked as planned.

0 Karma
Reply

Ayn
Legend
‎09-21-2011 07:12 AM

Great! Could you please mark my answer as accepted? That way it's easier to keep track of what issues are solved or not on the site.

0 Karma
Reply

Ayn
Legend
‎09-20-2011 01:58 PM

How about using append and then grab just the highest value from the two search results?

index=iam_sitexfer AND ""/monitor/bigip.jsp HTTP/1.0" 200 " earliest=-5m 
| stats count by host, source 
| stats count|rangemap field=count low=0-10 elevated=11-100 default=severe
| append
  [search index=iam_sitexfer AND " AUTHENTICATED" earliest=-5m
   | stats count by host, source
   | stats count
   | rangemap field=count low=0-200 elevated=201-500 default=severe]
| sort -count
| head 1
Reply

dwaddle
SplunkTrust
SplunkTrust
‎09-20-2011 06:46 PM

Another option might be to use eventtypes. Define an eventtype for each option, then you can do a single count by eventtype,host,source

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...