Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- combine 2 queries.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
combine 2 queries.
vishwa
Path Finder
03-30-2024
07:40 PM
query 1:
|mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by service transaction
|eval SuccessPerct=round(((Success/Total)*100),2)
|xyseries service transaction Total Success SuccessPerct
|table service "Success: transaction1" "SuccessPerct: transaction1" "SuccessPerct: transaction2" "Total: transaction2" "Success: transaction2"
|join service
[|mstats sum(error-count) as Error where index=metric-index by service errortype
|append
[|search index=app-index sourcetype=appl-logs (TERM(POST) OR TERM(GET) OR TERM(DELETE) OR TERM(PATCH)) OR errorNumber!=0 appls=et
|lookup app-error.csv code as errorNumber output type as errortype
|stats count as app.error count by appls errortype
|rename appls as service error-count as Error]
|xyseries service errortype Error
|rename wvv as WVVErrors xxf as nonerrors]
|addtotals "Success: transaction1" WVVErrors nonerrors fieldname="Total: transaction1"
|eval sort_service=case(service="serv1",1,service="serv2",2,service="serv3",3,service="serv4",4,service="serv5",5,service="serv6",6,service="serv7",7,service="serv8",8,service="serv9",9,service="serv10",10)
|sort + sort_service
|table service "Success: transaction1" "SuccessPerct: transaction2" WVVErrors nonerrors
|fillnull value=0
query1 OUTPUT:
| service | Success: transaction1 | SuccessPerct: transaction2 | WVVErrors | nonerrors |
| serv1 | 345678.000000 | 12.33 | 7.000000 | 110.000000 |
| serv2 | 345213.000000 | 22.34 | 8777.000000 | 0 |
| serv3 | 1269.000000 | 12.45 | 7768.000000 | 563 |
| serv4 | 34567.000000 | 11.56 | 124447.000000 | 0 |
| serv5 | 23456.000000 | 67.55 | 10.000000 | 067 |
| serv6 | 67778.000000 | 89.55 | 15.000000 | 32 |
| serv7 | 34421.000000 | 89.00 | 17.000000 | 56 |
| serv8 | 239078.000000 | 53.98 | 37.000000 | 67.0000000 |
| serv9 | 769.000000 | 09.54 | 87.000000 | 8.00000 |
| serv10 | 3467678.000000 | 87.99 | 22.000000 | 27.000000 |
| serv11 | 285678.000000 | 56.44 | 1123.000000 | 90.00000 |
| serv12 | 5123.000000 | 89.66 | 34557.000000 | 34 |
| serv13 | 678.000000 | 90.54 | 37.000000 | 56 |
| serv14 | 345234678.000000 | 89.22 | 897.000000 | 33 |
| serv15 | 12412.33678.000000 | 45.29 | 11237.000000 | 23.000000 |
query2:
|mstats sum(error-count) as Error where index=metric-index by service errorNumber errortypequery2: output:
| service | errorNumber | errortype | Error |
| serv1 | 0 | wvv | 7.000000 |
| serv1 | 22 | wvv | 8777.000000 |
| serv1 | 22 | wvv | 7768.000000 |
| serv1 | 45 | wvv | 124447.000000 |
| serv2 | 0 | xxf | 10.000000 |
| serv2 | 22 | xxf | 15.000000 |
| serv2 | 22 | xxf | 17.000000 |
| serv2 | 45 | xxf | 37.000000 |
| serv3 | 0 | wvv | 87.000000 |
| serv3 | 22 | wvv | 22.000000 |
| serv3 | 22 | wvv | 1123.000000 |
| serv3 | 45 | wvv | 34557.000000 |
| serv4 | 0 | xxf | 37.000000 |
| serv4 | 26 | xxf | 897.000000 |
| serv4 | 22 | xxf | 11237.000000 |
| serv4 | 40 | xxf | 7768.000000 |
| serv5 | 25 | wvv | 124447.000000 |
| serv5 | 28 | wvv | 10.000000 |
| serv5 | 1000 | wvv | 15.000000 |
| serv5 | 10 | wvv | 17.000000 |
| serv6 | 22 | xxf | 37.000000 |
| serv6 | 34 | xxf | 87.000000 |
| serv6 | 88 | xxf | 22.000000 |
| serv6 | 10 | xxf | 45.000000 |
we want to combine query 1 and query2 and want to get the both outputs in one table.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marnall
Motivator
04-02-2024
12:14 PM
Does this combined query produce the desired results?
|mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by service transaction
|eval SuccessPerct=round(((Success/Total)*100),2)
|xyseries service transaction Total Success SuccessPerct
|table service "Success: transaction1" "SuccessPerct: transaction1" "SuccessPerct: transaction2" "Total: transaction2" "Success: transaction2"
|join service
[|mstats sum(error-count) as Error where index=metric-index by service errortype
|append
[|search index=app-index sourcetype=appl-logs (TERM(POST) OR TERM(GET) OR TERM(DELETE) OR TERM(PATCH)) OR errorNumber!=0 appls=et
|lookup app-error.csv code as errorNumber output type as errortype
|stats count as app.error count by appls errortype
|rename appls as service error-count as Error]
|xyseries service errortype Error
|rename wvv as WVVErrors xxf as nonerrors]
|addtotals "Success: transaction1" WVVErrors nonerrors fieldname="Total: transaction1"
|eval sort_service=case(service="serv1",1,service="serv2",2,service="serv3",3,service="serv4",4,service="serv5",5,service="serv6",6,service="serv7",7,service="serv8",8,service="serv9",9,service="serv10",10)
|sort + sort_service
|table service "Success: transaction1" "SuccessPerct: transaction2" WVVErrors nonerrors
|fillnull value=0
| append [|mstats sum(error-count) as Error where index=metric-index by service errorNumber errortype]
| stats values(*) as * by service- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
marnall
Motivator
03-31-2024
02:04 AM
Table 1 has single values for the columns per each service, while Table 2 has multiple rows per service. You could duplicate the rows of Table1 to fill the rows of Table 2, or you could make the fields of Table 2 turn into multi-value fields in Table 1.
E.g. to do the latter (multi-value field) option:
<query 1>
| append [ <query2> ]
| stats values(*) as * by service
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishwa
Path Finder
03-31-2024
12:01 PM
Hi @marnall, soory I did not understand. But I tried to combine 2 queries to get combined output but I am not getting it.
Can u pls share me the query
Get Updates on the Splunk Community!
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights!
Duration: ...
Splunk Observability as Code: From Zero to Dashboard
For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...
