- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can I append results from 2 different sourcety...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I append results from 2 different sourcetypes?
Hi,
I am trying to append results from 2 different sources and i am not seeing results populated especially for the sub search. Most of the times first search will not have any values (in timechart it would be 0s but subsearch will have always values as it is response time). But it is not showing any values for the subsearch. i have tried join, etc but no use. basically i am trying to view response time over time on top of first search results.
sourcetype=X date_hour > 8 date_hour < 19 date_wday!=Sunday date_wday!=Saturday | timechart count | appendcols [search sourcetype=Y | timechart avg(rt_sec) as RespTime]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this workaround
sourcetype=X date_hour > 8 date_hour < 19 date_wday!=Sunday date_wday!=Saturday | timechart count | append [search sourcetype=Y | timechart avg(rt_sec) as RespTime] | stats first(*) as * by _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am able to get results if i use left join and have max value specified. Like this...join type=left max=600 _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am not getting the 2nd column at all. I have switched base search vs sub search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, since the subsearch always returns values, can you make it base search and use base search (which doesn't return result always) as subsearch? You can use table command to correct the order of the field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try without the last stats and let me know the columns you're getting...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have tried to use stats with having bucket _time i see 2 columns but as the first part has only few values i am not seeing data points when it is missing values
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I am not getting any results if i use that
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
