Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

i have 2 searches having same sourcetype but different string parameter results, how can i combine those and it should result in one by one in stats

ramanir
New Member
‎01-07-2019 12:13 AM

I have 2 searches separately, how can i combine those to fetch results one by one in statistics tab.like mentioned below.

siebel-order-details 1/7/2019 12:55 10

pinless-product-offers 1/7/2019 12:00 19

index=vha_pronto
sourcetype=pronto_pil_logs
"pinless-product-offers" earliest=-1h@h latest=-0h@h |
timechart count as "Total Request" span=5m

index=vha_pronto
sourcetype=pronto_pil_logs
"siebel-order-details" earliest=-1h@h latest=-0h@h |
timechart count as "Total Request" span=5m

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-08-2019 04:43 PM

You can combine the two like this:

earliest=-1h@h latest=-0h@h index=vha_pronto sourcetype=pronto_pil_logs ("pinless-product-offers" OR "siebel-order-details")
| eval class = case(searchmatch("pinless-product-offers"), "pinless", searchmatch("siebel-order-details"), "siebel", true(), "wtf")
| timechart span=5m count by class

This will search for both types of events, classify them [priority given to pinless here, in case an event contains both strings], and count each class of events over time, giving you two value columns / coloured lines in your chart.

Relying on just strings contained in your event is often okay, but I recommend using a field that contains the type of product offer you are looking for, and splitting the timechart by that field. Then you won't have to re-classify manually in every search. If you had such a field the search would look like this:

earliest=-1h@h latest=-0h@h index=vha_pronto sourcetype=pronto_pil_logs (product_category="pinless-product-offers" OR product_category="siebel-order-details")
| timechart span=5m count by product_category
0 Karma
Reply

p_gurav
Champion
‎01-07-2019 12:28 AM

Try append command:

index=vha_pronto 
sourcetype=pronto_pil_logs
"pinless-product-offers" earliest=-1h@h latest=-0h@h |
timechart count as "Total Request" span=5m | append [ search index=vha_pronto 
sourcetype=pronto_pil_logs
"siebel-order-details" earliest=-1h@h latest=-0h@h | 
timechart count as "Total Request" span=5m ]
0 Karma
Reply

ramanir
New Member
‎01-07-2019 08:59 PM

@p_gurav
thanks for you reply but iam not getting exact output when i use append.

query 1:

index=vha_pronto sourcetype=pronto_pil_logs "pinless-product-offers" earliest=-1h@h latest=-0h@h | timechart count as "Total Request" span=5m |appendcols [search index=vha_pronto sourcetype=pronto_pil_logs "updateProntoProdOffers" earliest=-1h@h latest=-0h@h | timechart count as "Total Success" span=5m] | appendcols [search index=vha_pronto sourcetype=pronto_pil_logs "pinless-product-offers" AND "The system is temporarily unavailable" earliest=-1h@h latest=-0h@h | timechart count as "Total failure" span=5m] | eval instanceName="Pinless_SS2_Order" | eval Time=strftime(time,"%Y-%m-%d %H:%M") | eval Platform="Pronto" | eval Application="PIL"| eval instanceTag=instanceName."".Platform."_".Application |table instanceTag Platform Application Time "Total Request" "Total Success" "Total failure" | rename instanceTag AS "#Instance TAG" Time as Timestamp |fillnull

query 2:

index=vha_pronto sourcetype=pronto_pil_logs "siebel-order-details" earliest=-1h@h latest=-0h@h | timechart count as "Total Request" span=5m ] |appendcols [search index=vha_pronto sourcetype=pronto_pil_logs "updateProntoSiebelOrder" earliest=-1h@h latest=-0h@h | timechart count as "Total Success" span=5m] | appendcols [search index=vha_pronto sourcetype=pronto_pil_logs "siebel-order-details" AND "The system is temporarily unavailable" earliest=-1h@h latest=-0h@h | timechart count as "Total failure" span=5m] | eval instanceName="Siebel_VFF_Order_SS2_Order" | eval Time=strftime(time,"%Y-%m-%d %H:%M") | eval Platform="Pronto" | eval Application="PIL"| eval instanceTag=instanceName."".Platform."_".Application |table instanceTag Platform Application Time "Total Request" "Total Success" "Total failure" | rename instanceTag AS "#Instance TAG" Time as Timestamp |fillnull

how can i combine these 2 to produce result as one by one like below:
Siebel_VFF_Order_Pronto_PIL Pronto PIL 1/7/2019 12:55 10 10 0
Pinless_SS2_Order_Pronto_PIL Pronto PIL 1/7/2019 12:00 19 19 0

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...