Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding a column from a subsearch

hatbeard
Explorer
‎03-07-2018 12:53 PM

I have this query that i've lightly changed from the winfra app, but i want to add a PID into it, that would be in the second query. I'm having trouble figuring out how to get this done.

eventtype="perfmon_windows" (Host="SERVER" ) Host="*" object="Process" counter="% Processor Time" instance="coldfusion*" AND NOT instance="coldfusions*"  | stats sparkline(avg(Value)) as Trend avg(Value) as Average, max(Value) as Peak, latest(Value) as Current, latest(_time) as "Last Updated" by instance | convert ctime("Last Updated") | sort - Current | eval Average=round(Average, 2) | eval Peak=round(Peak, 2) | eval Current=round(Current, 2)

then there's this one, which has the value of the PID

eventtype="perfmon_windows" (Host="SERVER" ) object="Process" instance="coldfusion*" AND NOT instance="coldfusions*"  counter="ID Process" |table Value

When I use a JOIN i get far too many columns back.

0 Karma
Reply

kamal_jagga
Contributor
‎03-07-2018 01:30 PM

There should be 1 field common in both the queries to combine the values.

Your first query doesn't have "value" field being carried in the final results.

Example:
| inputlookup abc.csv
| table common_field host
| appendcols
[| inputlookup xyz.csv
| table common_field dest
]
| table common_field host dest

Reply

hatbeard
Explorer
‎03-07-2018 01:34 PM

The instance field is common between them. They're similar searches, just on different objects.

0 Karma
Reply

kamal_jagga
Contributor
‎03-19-2018 01:41 PM

Following should work.
Example:
Search 1
| table instance *
| appendcols
[|Search 2
| table instance PID
]
| table instance PID *

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...