- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- multiple splunk search queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multiple splunk search queries
Team,
i would like to generate TPS based on two different search criteria but both has to run single report and should be populate both TPS values in single report.
Query 1:
index=abc "String 1"
| bin _time span=1s
| chart count as TPS by _time
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h
Query 2:
index=abc "String1" OR "String 2"
| bin _time span=1s
| chart count as TPS by _time
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h
Here query 1 finds TPS and Peak TPS based on one particular string and query 2 find TPS , Peak TPS based on string which i used on query 1 and another string on top of it. Now i would like to get merge both of then in single query so that one single report is enough for providing metrics
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@appusplunk14 What's peakTime?
untable is need for second timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
consider if i see peak TPS at 08:00 AM MST then i would like to print time stamp for that duration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your first query didn't give us such a number, did it?
I can't create something out of thin air.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
given query is displaying data like below:
2020-12-31 10:00 108.77 56.91 1835 143
2020-12-31 11:00 109.00 54.49 2167 119
2020-12-31 12:00 110.47 56.49 1823 131
as i said we want to display time during which we had high number of events in that hour.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal "splunkd" OR "sourcetype"
| eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype")
| bin _time span=1s
| chart count as TPS by _time matches
| untable _time matches TPS
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches
| untable _time tps value
| eventstats max(value) as max_TPS by tps
| eval high_time=if(max_TPS==value,tps,NULL)
| xyseries _time tps value high_time
| foreach high* [ eval high_time=mvappend(high_time,'<<FIELD>>')]
| rename "value: *" as *
| fields - high_time:*
| table _time avg* peak* high_time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample:
index=_internal "splunkd" OR "sourcetype"
| eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype")
| bin _time span=1s
| chart count as TPS by _time matches
| untable _time matches TPS
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you , its working good but i would like to include peakTime for both different search criteria , how do i do that? and what exactly untable means ? why are we using untable in this requirement?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
