Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I combine these 3 queries

mukeshchandak
Engager
‎10-14-2020 06:45 AM

How can I combine these 3 queries given everything before pipe is same:

query1: index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=*|timechart span=1m count

 query2: index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=*|stats count(response_code) by response_code

query3:index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=*| stats avg(response_time) as "Avg Response Time" max(response_time) as "Max Response Time" p99(response_time) as "99 Percentile" p95(response_time) as "95 Percentile"

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-14-2020 06:51 AM

Hi @mukeshchandak,

what do you mean with "combine"?

do you want to use each search in a different panel of a dashboard?

or do you want to have one complessive search?

in the first case you can use the Post Process Search (you can find examples in the Splunk Dashboard Examples App), in other words, execute one time the main search and in each panel use the second part of search.

In the second case, it's difficult to merge two stats and a timechart; if you have three stats, with the same fields you could use the "append" command.

Ciao.

Giuseppe

0 Karma
Reply

mukeshchandak
Engager
‎10-14-2020 07:01 AM

Hi @gcusello  I wish to get a query out of these 3 queries which returns only relavant data(timechart span=1s count, stats count(response_code) by response_code, and stats avg(response_time) as "Avg Response Time" max(response_time) as "Max Response Time" p99(response_time) as "99 Percentile" p95(response_time) as "95 Percentile")

so that I can create summary index.

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-14-2020 07:49 AM

Hi @mukeshchandak,

for a summary index it's easier to use three searches not one!

anyway, if you want one search you have to modify the three searches giving to each one common fields, e.g. timestamp, value and response code, something like this (I don't know if is exactly what you want, but see my approach:

index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=*
| bin span=1m _time 
| stats avg(response_time) as "Avg Response Time" max(response_time) as "Max Response Time" p99(response_time) as "99 Percentile" p95(response_time) as "95 Percentile" BY _time
| append [ search 
     index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=*
     | bin span=1m _time
     | stats earliest(_time) AS _time count(response_code) As "Count Response Time" by response_code ]
| append [ search 
     index=abc source="*/d/e/f.log" artifact_id=g*h*i* host!=“jkl*” cloud=mno consumer_id=* response_code=*
     | stats earliest(_time) AS _time avg(response_time) as "Avg Response Time" max(response_time) as "Max Response Time" p99(response_time) as "99 Percentile" p95(response_time) as "95 Percentile" ]

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...