Can I append results from 2 different sourcetypes?

xvxt006 · ‎08-24-2014

Hi,

I am trying to append results from 2 different sources and i am not seeing results populated especially for the sub search. Most of the times first search will not have any values (in timechart it would be 0s but subsearch will have always values as it is response time). But it is not showing any values for the subsearch. i have tried join, etc but no use. basically i am trying to view response time over time on top of first search results.

sourcetype=X    date_hour > 8 date_hour < 19 date_wday!=Sunday date_wday!=Saturday | timechart  count  | appendcols [search sourcetype=Y | timechart avg(rt_sec) as RespTime]

somesoni2 · ‎08-25-2014

Try this workaround

sourcetype=X    date_hour > 8 date_hour < 19 date_wday!=Sunday date_wday!=Saturday | timechart  count  | append [search sourcetype=Y | timechart avg(rt_sec) as RespTime] | stats first(*) as * by _time

xvxt006 · ‎08-25-2014

I am able to get results if i use left join and have max value specified. Like this...join type=left max=600 _time

xvxt006 · ‎08-25-2014

i am not getting the 2nd column at all. I have switched base search vs sub search

somesoni2 · ‎08-25-2014

Also, since the subsearch always returns values, can you make it base search and use base search (which doesn't return result always) as subsearch? You can use table command to correct the order of the field.

somesoni2 · ‎08-25-2014

Try without the last stats and let me know the columns you're getting...

xvxt006 · ‎08-25-2014

i have tried to use stats with having bucket _time i see 2 columns but as the first part has only few values i am not seeing data points when it is missing values

xvxt006 · ‎08-25-2014

Hi, I am not getting any results if i use that

Can I append results from 2 different sourcetypes?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!