Solved: Realtime Combined Search

aaronkorn · ‎04-02-2013

What is the best way to combine two different searches with results that can be used in a realtime dashboard? We used appendcols but found out that you cannot use it with realtime.

We have this search right now but how would be transform it to be realtime compatable?

Thanks!

martin_mueller · ‎04-02-2013

In general, every subsearch finishes before the main search starts. Real-time searches do not finish, hence subsearches cannot be real-time.

I see you have one timechart without a by field, and one timechart with by process, so I'm assuming your end result columns look something like this?

_time User System process1 process2 process3 process4

?

If that's the case you should be able to combine your two searches using OR:

index=o host=x38dev10 (source=cpu OR sourcetype=ps)

Then do field extractions, filtering, eval, whatnot, and give your cpu source a process:

... | eval process=if(source=cpu, "CPU", process)

And throw it all into one timechart by process.

View solution in original post

martin_mueller · ‎04-02-2013

In general, every subsearch finishes before the main search starts. Real-time searches do not finish, hence subsearches cannot be real-time.

I see you have one timechart without a by field, and one timechart with by process, so I'm assuming your end result columns look something like this?

_time User System process1 process2 process3 process4

?

If that's the case you should be able to combine your two searches using OR:

index=o host=x38dev10 (source=cpu OR sourcetype=ps)

Then do field extractions, filtering, eval, whatnot, and give your cpu source a process:

... | eval process=if(source=cpu, "CPU", process)

And throw it all into one timechart by process.

Realtime Combined Search

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor