Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Merge Data per timestamp

robertlynch2020
Influencer
‎10-12-2021 08:33 AM

I am pulling data from multiple locations and a new field threshold has been introduced.

The issue is threshold  is common but has different values depending if it is cpuPerc or memoryCons  etc.. There are 4 of them.

 

| mstats min("mx.process.cpu.utilization") as cpuPerc min("mx.process.threads") as nbOfThreads min("mx.process.memory.usage") as memoryCons min("mx.process.file_descriptors") as nbOfOpenFiles min("mx.process.up.time") as upTime avg("mx.process.creation.time") as creationTime WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold

 

 

On option I have if i want to display all the thresholds differently is to write a 3 joins - but this is heavy on CPU.

 

| mstats min("mx.process.cpu.utilization") as cpuPerc WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold 
| rename service.name as service_name 
| rename threshold as T_cpuPerc 
| join _time service.name replica.name 
    [| mstats min("mx.process.threads") as nbOfThreads WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold 
    | rename service.name as service_name 
    | rename threshold as T_nbOfThreads ] 
| join _time service.name replica.name 
    [| mstats min("mx.process.memory.usage") as memoryCons WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold 
    | rename service.name as service_name 
    | rename threshold as T_memoryCons ] 
| join _time service.name replica.name 
    [| mstats min("mx.process.file_descriptors") as nbOfOpenFiles WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold 
    | rename service.name as service_name 
    | rename threshold as T_nbOfOpenFiles ]

 

I am trying this way but I am not sure how to merge the rows by time in the end - any ideas.

 

| mstats min("mx.process.cpu.utilization") as cpuPerc min("mx.process.threads") as nbOfThreads min("mx.process.memory.usage") as memoryCons min("mx.process.file_descriptors") as nbOfOpenFiles min("mx.process.up.time") as upTime avg("mx.process.creation.time") as creationTime WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold 
| rename service.name as service_name 
| search service_name IN (*cache*) 
| eval threshold_nbOfThreads=if(isnull(nbOfThreads),"",$threshold$) 
| eval threshold_memoryCons=if(isnull(memoryCons),"",$threshold$) 
| eval threshold_nbOfOpenFiles=if(isnull(nbOfOpenFiles),"",$threshold$) 
| table _time threshold threshold_nbOfOpenFiles threshold_memoryCons threshold_nbOfThreads

 

The issue is the data is now on different rows  - where I need them to be on the same by _time.

SO in the image below, we have 3 lines for each time. How can i get them to merge per timestamp?

robertlynch2020_0-1634052561713.png

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

robertlynch2020
Influencer
‎10-12-2021 08:37 AM

Got it with stats at the end - 

 

| mstats min("mx.process.threads") as nbOfThreads min("mx.process.memory.usage") as memoryCons min("mx.process.file_descriptors") as nbOfOpenFiles WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold 
| rename service.name as service_name 
| search service_name IN (*cache*) 
| eval threshold_nbOfThreads=if(isnull(nbOfThreads),"",$threshold$) 
| eval threshold_memoryCons=if(isnull(memoryCons),"",$threshold$) 
| eval threshold_nbOfOpenFiles=if(isnull(nbOfOpenFiles),"",$threshold$) 
| table _time service_name threshold_nbOfOpenFiles threshold_memoryCons threshold_nbOfThreads 
| stats values(threshold_nbOfOpenFiles) as threshold_nbOfOpenFiles values(threshold_memoryCons) as threshold_memoryCons values(threshold_nbOfThreads) as threshold_nbOfThreads by _time service_name

 

Thanks to 

https://community.splunk.com/t5/Splunk-Search/Combine-multiple-rows-in-one-with-a-common-key/m-p/422...

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

robertlynch2020
Influencer
‎10-12-2021 08:37 AM

Got it with stats at the end - 

 

| mstats min("mx.process.threads") as nbOfThreads min("mx.process.memory.usage") as memoryCons min("mx.process.file_descriptors") as nbOfOpenFiles WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 span=10s BY pid cmd service.type host.name service.name replica.name component.name threshold 
| rename service.name as service_name 
| search service_name IN (*cache*) 
| eval threshold_nbOfThreads=if(isnull(nbOfThreads),"",$threshold$) 
| eval threshold_memoryCons=if(isnull(memoryCons),"",$threshold$) 
| eval threshold_nbOfOpenFiles=if(isnull(nbOfOpenFiles),"",$threshold$) 
| table _time service_name threshold_nbOfOpenFiles threshold_memoryCons threshold_nbOfThreads 
| stats values(threshold_nbOfOpenFiles) as threshold_nbOfOpenFiles values(threshold_memoryCons) as threshold_memoryCons values(threshold_nbOfThreads) as threshold_nbOfThreads by _time service_name

 

Thanks to 

https://community.splunk.com/t5/Splunk-Search/Combine-multiple-rows-in-one-with-a-common-key/m-p/422...

 

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...