Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

combine 2 queries.

vishwa
Path Finder
‎03-30-2024 07:40 PM

query 1:

|mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by service transaction
|eval SuccessPerct=round(((Success/Total)*100),2)
|xyseries service transaction Total Success SuccessPerct
|table service "Success: transaction1" "SuccessPerct: transaction1" "SuccessPerct: transaction2" "Total: transaction2" "Success: transaction2"
|join service
[|mstats sum(error-count) as Error where index=metric-index by service errortype
|append
[|search index=app-index sourcetype=appl-logs (TERM(POST) OR TERM(GET) OR TERM(DELETE) OR TERM(PATCH)) OR errorNumber!=0 appls=et
|lookup app-error.csv code as errorNumber output type as errortype
|stats count as app.error count by appls errortype
|rename appls as service error-count as Error]
|xyseries service errortype Error
|rename wvv as WVVErrors xxf as nonerrors]
|addtotals "Success: transaction1" WVVErrors nonerrors fieldname="Total: transaction1"
|eval sort_service=case(service="serv1",1,service="serv2",2,service="serv3",3,service="serv4",4,service="serv5",5,service="serv6",6,service="serv7",7,service="serv8",8,service="serv9",9,service="serv10",10)
|sort + sort_service
|table service "Success: transaction1" "SuccessPerct: transaction2" WVVErrors nonerrors
|fillnull value=0

 

query1 OUTPUT:

serviceSuccess: transaction1SuccessPerct: transaction2WVVErrors nonerrors
serv1345678.00000012.337.000000110.000000
serv2345213.00000022.348777.0000000
serv31269.00000012.457768.000000563
serv434567.00000011.56124447.0000000
serv523456.00000067.5510.000000067
serv667778.00000089.5515.00000032
serv734421.00000089.0017.00000056
serv8239078.00000053.9837.00000067.0000000
serv9769.00000009.5487.000000 8.00000
serv103467678.00000087.9922.00000027.000000
serv11285678.00000056.441123.00000090.00000
serv125123.00000089.6634557.00000034
serv13678.00000090.5437.00000056
serv14345234678.00000089.22897.00000033
serv1512412.33678.00000045.2911237.00000023.000000


query2:

|mstats sum(error-count) as Error where index=metric-index by service errorNumber errortype

query2: output:

serviceerrorNumbererrortypeError
serv10wvv7.000000
serv122wvv8777.000000
serv122wvv7768.000000
serv145wvv124447.000000
serv20xxf10.000000
serv222xxf15.000000
serv222xxf17.000000
serv245xxf37.000000
serv30wvv87.000000
serv322wvv22.000000
serv322wvv1123.000000
serv345wvv34557.000000
serv40xxf37.000000
serv426xxf897.000000
serv422xxf11237.000000
serv440xxf7768.000000
serv525wvv124447.000000
serv528wvv10.000000
serv51000wvv15.000000
serv510wvv17.000000
serv622xxf37.000000
serv634xxf87.000000
serv688xxf22.000000
serv610xxf45.000000

 

we want to combine query 1 and query2 and want to get the both outputs in one table.

Labels (1)
Labels
0 Karma
Reply

marnall
Motivator
‎04-02-2024 12:14 PM

Does this combined query produce the desired results?

|mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by service transaction
|eval SuccessPerct=round(((Success/Total)*100),2)
|xyseries service transaction Total Success SuccessPerct
|table service "Success: transaction1" "SuccessPerct: transaction1" "SuccessPerct: transaction2" "Total: transaction2" "Success: transaction2"
|join service
[|mstats sum(error-count) as Error where index=metric-index by service errortype
|append
[|search index=app-index sourcetype=appl-logs (TERM(POST) OR TERM(GET) OR TERM(DELETE) OR TERM(PATCH)) OR errorNumber!=0 appls=et
|lookup app-error.csv code as errorNumber output type as errortype
|stats count as app.error count by appls errortype
|rename appls as service error-count as Error]
|xyseries service errortype Error
|rename wvv as WVVErrors xxf as nonerrors]
|addtotals "Success: transaction1" WVVErrors nonerrors fieldname="Total: transaction1"
|eval sort_service=case(service="serv1",1,service="serv2",2,service="serv3",3,service="serv4",4,service="serv5",5,service="serv6",6,service="serv7",7,service="serv8",8,service="serv9",9,service="serv10",10)
|sort + sort_service
|table service "Success: transaction1" "SuccessPerct: transaction2" WVVErrors nonerrors
|fillnull value=0 
| append [|mstats sum(error-count) as Error where index=metric-index by service errorNumber errortype] 
| stats values(*) as * by service
0 Karma
Reply

marnall
Motivator
‎03-31-2024 02:04 AM

Table 1 has single values for the columns per each service, while Table 2 has multiple rows per service. You could duplicate the rows of Table1 to fill the rows of Table 2, or you could make the fields of Table 2 turn into multi-value fields in Table 1.

E.g. to do the latter (multi-value field) option:

<query 1>
| append [ <query2> ]
| stats values(*) as * by service

 

0 Karma
Reply

vishwa
Path Finder
‎03-31-2024 12:01 PM

Hi @marnall, soory I did not understand. But I tried to combine 2 queries to get combined output but I am not getting it.

Can u pls share me the query 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...