Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- Re: combine 2 queries.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
combine 2 queries.
vishwa
Path Finder
03-30-2024
07:40 PM
query 1:
|mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by service transaction
|eval SuccessPerct=round(((Success/Total)*100),2)
|xyseries service transaction Total Success SuccessPerct
|table service "Success: transaction1" "SuccessPerct: transaction1" "SuccessPerct: transaction2" "Total: transaction2" "Success: transaction2"
|join service
[|mstats sum(error-count) as Error where index=metric-index by service errortype
|append
[|search index=app-index sourcetype=appl-logs (TERM(POST) OR TERM(GET) OR TERM(DELETE) OR TERM(PATCH)) OR errorNumber!=0 appls=et
|lookup app-error.csv code as errorNumber output type as errortype
|stats count as app.error count by appls errortype
|rename appls as service error-count as Error]
|xyseries service errortype Error
|rename wvv as WVVErrors xxf as nonerrors]
|addtotals "Success: transaction1" WVVErrors nonerrors fieldname="Total: transaction1"
|eval sort_service=case(service="serv1",1,service="serv2",2,service="serv3",3,service="serv4",4,service="serv5",5,service="serv6",6,service="serv7",7,service="serv8",8,service="serv9",9,service="serv10",10)
|sort + sort_service
|table service "Success: transaction1" "SuccessPerct: transaction2" WVVErrors nonerrors
|fillnull value=0
query1 OUTPUT:
| service | Success: transaction1 | SuccessPerct: transaction2 | WVVErrors | nonerrors |
| serv1 | 345678.000000 | 12.33 | 7.000000 | 110.000000 |
| serv2 | 345213.000000 | 22.34 | 8777.000000 | 0 |
| serv3 | 1269.000000 | 12.45 | 7768.000000 | 563 |
| serv4 | 34567.000000 | 11.56 | 124447.000000 | 0 |
| serv5 | 23456.000000 | 67.55 | 10.000000 | 067 |
| serv6 | 67778.000000 | 89.55 | 15.000000 | 32 |
| serv7 | 34421.000000 | 89.00 | 17.000000 | 56 |
| serv8 | 239078.000000 | 53.98 | 37.000000 | 67.0000000 |
| serv9 | 769.000000 | 09.54 | 87.000000 | 8.00000 |
| serv10 | 3467678.000000 | 87.99 | 22.000000 | 27.000000 |
| serv11 | 285678.000000 | 56.44 | 1123.000000 | 90.00000 |
| serv12 | 5123.000000 | 89.66 | 34557.000000 | 34 |
| serv13 | 678.000000 | 90.54 | 37.000000 | 56 |
| serv14 | 345234678.000000 | 89.22 | 897.000000 | 33 |
| serv15 | 12412.33678.000000 | 45.29 | 11237.000000 | 23.000000 |
query2:
|mstats sum(error-count) as Error where index=metric-index by service errorNumber errortypequery2: output:
| service | errorNumber | errortype | Error |
| serv1 | 0 | wvv | 7.000000 |
| serv1 | 22 | wvv | 8777.000000 |
| serv1 | 22 | wvv | 7768.000000 |
| serv1 | 45 | wvv | 124447.000000 |
| serv2 | 0 | xxf | 10.000000 |
| serv2 | 22 | xxf | 15.000000 |
| serv2 | 22 | xxf | 17.000000 |
| serv2 | 45 | xxf | 37.000000 |
| serv3 | 0 | wvv | 87.000000 |
| serv3 | 22 | wvv | 22.000000 |
| serv3 | 22 | wvv | 1123.000000 |
| serv3 | 45 | wvv | 34557.000000 |
| serv4 | 0 | xxf | 37.000000 |
| serv4 | 26 | xxf | 897.000000 |
| serv4 | 22 | xxf | 11237.000000 |
| serv4 | 40 | xxf | 7768.000000 |
| serv5 | 25 | wvv | 124447.000000 |
| serv5 | 28 | wvv | 10.000000 |
| serv5 | 1000 | wvv | 15.000000 |
| serv5 | 10 | wvv | 17.000000 |
| serv6 | 22 | xxf | 37.000000 |
| serv6 | 34 | xxf | 87.000000 |
| serv6 | 88 | xxf | 22.000000 |
| serv6 | 10 | xxf | 45.000000 |
we want to combine query 1 and query2 and want to get the both outputs in one table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marnall
Motivator
04-02-2024
12:14 PM
Does this combined query produce the desired results?
|mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by service transaction
|eval SuccessPerct=round(((Success/Total)*100),2)
|xyseries service transaction Total Success SuccessPerct
|table service "Success: transaction1" "SuccessPerct: transaction1" "SuccessPerct: transaction2" "Total: transaction2" "Success: transaction2"
|join service
[|mstats sum(error-count) as Error where index=metric-index by service errortype
|append
[|search index=app-index sourcetype=appl-logs (TERM(POST) OR TERM(GET) OR TERM(DELETE) OR TERM(PATCH)) OR errorNumber!=0 appls=et
|lookup app-error.csv code as errorNumber output type as errortype
|stats count as app.error count by appls errortype
|rename appls as service error-count as Error]
|xyseries service errortype Error
|rename wvv as WVVErrors xxf as nonerrors]
|addtotals "Success: transaction1" WVVErrors nonerrors fieldname="Total: transaction1"
|eval sort_service=case(service="serv1",1,service="serv2",2,service="serv3",3,service="serv4",4,service="serv5",5,service="serv6",6,service="serv7",7,service="serv8",8,service="serv9",9,service="serv10",10)
|sort + sort_service
|table service "Success: transaction1" "SuccessPerct: transaction2" WVVErrors nonerrors
|fillnull value=0
| append [|mstats sum(error-count) as Error where index=metric-index by service errorNumber errortype]
| stats values(*) as * by service- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marnall
Motivator
03-31-2024
02:04 AM
Table 1 has single values for the columns per each service, while Table 2 has multiple rows per service. You could duplicate the rows of Table1 to fill the rows of Table 2, or you could make the fields of Table 2 turn into multi-value fields in Table 1.
E.g. to do the latter (multi-value field) option:
<query 1>
| append [ <query2> ]
| stats values(*) as * by service
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishwa
Path Finder
03-31-2024
12:01 PM
Hi @marnall, soory I did not understand. But I tried to combine 2 queries to get combined output but I am not getting it.
Can u pls share me the query
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
May 2026 Splunk Expert Sessions: Security & Observability
Level Up Your Operations: May 2026 Splunk Expert Sessions
Whether you are refining your security posture or ...
Network to App: Observability Unlocked [May & June Series]
In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...
