Re: Adding a column from a subsearch

hatbeard · ‎03-07-2018

I have this query that i've lightly changed from the winfra app, but i want to add a PID into it, that would be in the second query. I'm having trouble figuring out how to get this done.

eventtype="perfmon_windows" (Host="SERVER" ) Host="*" object="Process" counter="% Processor Time" instance="coldfusion*" AND NOT instance="coldfusions*"  | stats sparkline(avg(Value)) as Trend avg(Value) as Average, max(Value) as Peak, latest(Value) as Current, latest(_time) as "Last Updated" by instance | convert ctime("Last Updated") | sort - Current | eval Average=round(Average, 2) | eval Peak=round(Peak, 2) | eval Current=round(Current, 2)

then there's this one, which has the value of the PID

eventtype="perfmon_windows" (Host="SERVER" ) object="Process" instance="coldfusion*" AND NOT instance="coldfusions*"  counter="ID Process" |table Value

When I use a JOIN i get far too many columns back.

kamal_jagga · ‎03-07-2018

There should be 1 field common in both the queries to combine the values.

Your first query doesn't have "value" field being carried in the final results.

hatbeard · ‎03-07-2018

The instance field is common between them. They're similar searches, just on different objects.

kamal_jagga · ‎03-19-2018

Adding a column from a subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation