Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

multiple splunk search queries

appusplunk14
Engager
‎12-28-2020 01:08 PM

Team,

i would like to generate TPS based on two different search criteria but both has to run single report and should be populate both TPS values in single report.

Query 1:

index=abc "String 1"
| bin _time span=1s
| chart count as TPS by _time
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h

Query 2:

index=abc "String1" OR "String 2"
| bin _time span=1s
| chart count as TPS by _time
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h

 

Here query 1 finds TPS and Peak TPS based on one particular string and query 2 find TPS , Peak TPS based on string which i used on query 1 and another string on top of it. Now i would like to get merge both of then in single query so that one single report is enough for providing metrics

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎12-28-2020 06:22 PM

@appusplunk14 What's peakTime?

untable is need for second timechart.

0 Karma
Reply

appusplunk14
Engager
‎12-29-2020 07:40 AM

consider if i see peak TPS at 08:00 AM MST then i would like to print time stamp for that duration. 

0 Karma
Reply

to4kawa
Ultra Champion
‎12-29-2020 01:59 PM

Your first query didn't give us such a number, did it?
I can't create something out of thin air.

0 Karma
Reply

appusplunk14
Engager
‎12-31-2020 09:32 AM

given query is displaying data like below:

2020-12-31 10:00 108.77 56.91 1835 143
2020-12-31 11:00 109.00 54.49 2167 119
2020-12-31 12:00 110.47 56.49 1823 131

as i said we want to display time during which we had high number of events in that hour.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-31-2020 02:46 PM 
index=_internal "splunkd" OR "sourcetype" 
| eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype")
| bin _time span=1s
| chart count as TPS by _time matches
| untable _time matches TPS
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches
| untable _time tps value
| eventstats max(value) as max_TPS by tps
| eval high_time=if(max_TPS==value,tps,NULL)
| xyseries _time tps value high_time
| foreach high* [ eval high_time=mvappend(high_time,'<<FIELD>>')]
| rename "value: *" as *
| fields - high_time:*
| table _time avg* peak* high_time
0 Karma
Reply

to4kawa
Ultra Champion
‎12-28-2020 04:33 PM

sample:

index=_internal "splunkd" OR "sourcetype" 
| eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype")
| bin _time span=1s
| chart count as TPS by _time matches
| untable _time matches TPS
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches
0 Karma
Reply

appusplunk14
Engager
‎12-28-2020 06:03 PM

thank you , its working  good but i would like to include peakTime for both different search criteria , how do i do that? and what exactly untable means ? why are we using untable in this requirement? 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...