- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: multiple splunk search queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multiple splunk search queries
Team,
i would like to generate TPS based on two different search criteria but both has to run single report and should be populate both TPS values in single report.
Query 1:
index=abc "String 1"
| bin _time span=1s
| chart count as TPS by _time
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h
Query 2:
index=abc "String1" OR "String 2"
| bin _time span=1s
| chart count as TPS by _time
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h
Here query 1 finds TPS and Peak TPS based on one particular string and query 2 find TPS , Peak TPS based on string which i used on query 1 and another string on top of it. Now i would like to get merge both of then in single query so that one single report is enough for providing metrics
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@appusplunk14 What's peakTime?
untable is need for second timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
consider if i see peak TPS at 08:00 AM MST then i would like to print time stamp for that duration.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your first query didn't give us such a number, did it?
I can't create something out of thin air.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
given query is displaying data like below:
2020-12-31 10:00 108.77 56.91 1835 143
2020-12-31 11:00 109.00 54.49 2167 119
2020-12-31 12:00 110.47 56.49 1823 131
as i said we want to display time during which we had high number of events in that hour.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=_internal "splunkd" OR "sourcetype"
| eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype")
| bin _time span=1s
| chart count as TPS by _time matches
| untable _time matches TPS
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches
| untable _time tps value
| eventstats max(value) as max_TPS by tps
| eval high_time=if(max_TPS==value,tps,NULL)
| xyseries _time tps value high_time
| foreach high* [ eval high_time=mvappend(high_time,'<<FIELD>>')]
| rename "value: *" as *
| fields - high_time:*
| table _time avg* peak* high_time- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sample:
index=_internal "splunkd" OR "sourcetype"
| eval matches=if(searchmatch("splunkd"),"splunkd","sourcetype")
| bin _time span=1s
| chart count as TPS by _time matches
| untable _time matches TPS
| timechart max(TPS) as peakTPS eval(round(avg(TPS),2)) as avgTPS span=1h by matches- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you , its working good but i would like to include peakTime for both different search criteria , how do i do that? and what exactly untable means ? why are we using untable in this requirement?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
