Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Single result out of multiple queries

DaleFRice
Explorer
‎06-18-2013 02:34 PM

As part of an application we're trying to develop, we want to be able to track multiple event types (requests per hour, sales per hour, etc) and from those generate a higher level metric (conversions, for example). Ideally, we would want to run each query independently, and then generate and show the higher level metric based on those results. Is there any way within the app framework to pull values out of a query or search and combine it with values from other queries/searches without actually combining the queries?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DaleFRice
Explorer
‎06-19-2013 09:54 AM

Found a workable solution using the outputlookup command. I can run each query in a HiddenSearch and use outputlookup to write the outputs to .csv files, then read and work with them in the HTML5/JavaScript to generate the higher order metrics.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DaleFRice
Explorer
‎06-19-2013 09:54 AM

Found a workable solution using the outputlookup command. I can run each query in a HiddenSearch and use outputlookup to write the outputs to .csv files, then read and work with them in the HTML5/JavaScript to generate the higher order metrics.

0 Karma
Reply
Solved! Jump to solution

peter_krammer
Communicator
‎06-19-2013 05:32 AM

I use the join command to combine the results of different searches.
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Join

Simple Example:
index=anindex sourcetype="asourcetype" | join join_field [search index=anotherindex sourcetype="bsourcetype"]

(Very) Complex Example:
index=anindex sourcetype="asourcetype" | join type=left max=0 join_field [search index=anotherindex (sourcetype="b1sourcetype" OR sourcetype="b2sourcetype")] | where search_field="foobar" | eval found_join=if(isnull(anotherfield), "not joined", "joined") | fields join_field, search_field, found_join, anotherfield

PS: Maybe you also want to take a look at how to use subsearches:
http://docs.splunk.com/Documentation/Storm/Storm/User/Useasubsearch

0 Karma
Reply
Solved! Jump to solution

DaleFRice
Explorer
‎06-19-2013 07:41 AM

Thanks for the useful link, but that was unfortunately exactly what I was trying not to do. What I want is to run several searches independent of each other, pull a single value or set of values out of each search and from those values calculate a new value.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...