Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Realtime Combined Search

aaronkorn
Splunk Employee
Splunk Employee
‎04-02-2013 10:40 AM

What is the best way to combine two different searches with results that can be used in a realtime dashboard? We used appendcols but found out that you cannot use it with realtime.

We have this search right now but how would be transform it to be realtime compatable?

index=os source=cpu host=x38dev10 | multikv fields | timechart span=30s avg(pctUser) as User, avg(pctSystem) as System | appendcols [search index="os" sourcetype="ps" host=x38dev10 | multikv fields pctCPU, COMMAND, USER | search USER=redis OR tomcat | eval process=USER."/".COMMAND | timechart span=30s avg(pctCPU) by process useother="f"]

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2013 10:57 AM

In general, every subsearch finishes before the main search starts. Real-time searches do not finish, hence subsearches cannot be real-time.

I see you have one timechart without a by field, and one timechart with by process, so I'm assuming your end result columns look something like this?

_time User System process1 process2 process3 process4

?

If that's the case you should be able to combine your two searches using OR:

index=o host=x38dev10 (source=cpu OR sourcetype=ps)

Then do field extractions, filtering, eval, whatnot, and give your cpu source a process:

... | eval process=if(source=cpu, "CPU", process)

And throw it all into one timechart by process.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-02-2013 10:57 AM

In general, every subsearch finishes before the main search starts. Real-time searches do not finish, hence subsearches cannot be real-time.

I see you have one timechart without a by field, and one timechart with by process, so I'm assuming your end result columns look something like this?

_time User System process1 process2 process3 process4

?

If that's the case you should be able to combine your two searches using OR:

index=o host=x38dev10 (source=cpu OR sourcetype=ps)

Then do field extractions, filtering, eval, whatnot, and give your cpu source a process:

... | eval process=if(source=cpu, "CPU", process)

And throw it all into one timechart by process.

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...