Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

multiple splunk search queries

appusplunk14
Engager
‎12-28-2020 01:08 PM

Team,

i would like to generate TPS based on two different search criteria but both has to run single report and should be populate both TPS values in single report.

Query 1:

index=abc "String 1"
| bin _time span=1s
| chart count as TPS by _time
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h

Query 2:

index=abc "String1" OR "String 2"
| bin _time span=1s
| chart count as TPS by _time
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h

 

Here query 1 finds TPS and Peak TPS based on one particular string and query 2 find TPS , Peak TPS based on string which i used on query 1 and another string on top of it. Now i would like to get merge both of then in single query so that one single report is enough for providing metrics

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎12-28-2020 06:22 PM

@appusplunk14 What's peakTime?

untable is need for second timechart.

0 Karma
Reply

appusplunk14
Engager
‎12-29-2020 07:40 AM

consider if i see peak TPS at 08:00 AM MST then i would like to print time stamp for that duration. 

0 Karma
Reply

to4kawa
Ultra Champion
‎12-29-2020 01:59 PM

Your first query didn't give us such a number, did it?
I can't create something out of thin air.

0 Karma
Reply

appusplunk14
Engager
‎12-31-2020 09:32 AM

given query is displaying data like below:

2020-12-31 10:00 108.77 56.91 1835 143
2020-12-31 11:00 109.00 54.49 2167 119
2020-12-31 12:00 110.47 56.49 1823 131

as i said we want to display time during which we had high number of events in that hour.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-31-2020 02:46 PM 
index=_internal "splunkd" OR "sourcetype" 
| eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype")
| bin _time span=1s
| chart count as TPS by _time matches
| untable _time matches TPS
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches
| untable _time tps value
| eventstats max(value) as max_TPS by tps
| eval high_time=if(max_TPS==value,tps,NULL)
| xyseries _time tps value high_time
| foreach high* [ eval high_time=mvappend(high_time,'<<FIELD>>')]
| rename "value: *" as *
| fields - high_time:*
| table _time avg* peak* high_time
0 Karma
Reply

to4kawa
Ultra Champion
‎12-28-2020 04:33 PM

sample:

index=_internal "splunkd" OR "sourcetype" 
| eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype")
| bin _time span=1s
| chart count as TPS by _time matches
| untable _time matches TPS
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches
0 Karma
Reply

appusplunk14
Engager
‎12-28-2020 06:03 PM

thank you , its working  good but i would like to include peakTime for both different search criteria , how do i do that? and what exactly untable means ? why are we using untable in this requirement? 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...