Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Adding a column from a subsearch

hatbeard
Explorer
‎03-07-2018 12:53 PM

I have this query that i've lightly changed from the winfra app, but i want to add a PID into it, that would be in the second query. I'm having trouble figuring out how to get this done.

eventtype="perfmon_windows" (Host="SERVER" ) Host="*" object="Process" counter="% Processor Time" instance="coldfusion*" AND NOT instance="coldfusions*"  | stats sparkline(avg(Value)) as Trend avg(Value) as Average, max(Value) as Peak, latest(Value) as Current, latest(_time) as "Last Updated" by instance | convert ctime("Last Updated") | sort - Current | eval Average=round(Average, 2) | eval Peak=round(Peak, 2) | eval Current=round(Current, 2)

then there's this one, which has the value of the PID

eventtype="perfmon_windows" (Host="SERVER" ) object="Process" instance="coldfusion*" AND NOT instance="coldfusions*"  counter="ID Process" |table Value

When I use a JOIN i get far too many columns back.

0 Karma
Reply

kamal_jagga
Contributor
‎03-07-2018 01:30 PM

There should be 1 field common in both the queries to combine the values.

Your first query doesn't have "value" field being carried in the final results.

Example:
| inputlookup abc.csv
| table common_field host
| appendcols
[| inputlookup xyz.csv
| table common_field dest
]
| table common_field host dest

Reply

hatbeard
Explorer
‎03-07-2018 01:34 PM

The instance field is common between them. They're similar searches, just on different objects.

0 Karma
Reply

kamal_jagga
Contributor
‎03-19-2018 01:41 PM

Following should work.
Example:
Search 1
| table instance *
| appendcols
[|Search 2
| table instance PID
]
| table instance PID *

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...