Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can appendcols be used for grouping?

tccooper
Explorer
‎08-31-2017 10:53 AM

I have the following query

index="XXXXXXXXXX" Device="*FPB*" OR Device="*VAV*" Point_Name="ActFlow" 
|bin span=15m _time
|stats last(Value) as AirFlow by Device, _time
|appendcols [|search index="XXXXXXXXXX" Device="*FPB*" OR Device="*VAV*"  Point_Name="ActFlowSP" |bin span=15m _time |stats last(Value) as Setpoint by Device, _time]
|eval difference = (1 - (Setpoint/AirFlow))
|where difference > .2
|fields _time, Device, difference

The issue is the results of the subquery are not grouping based off the Device. Suggestions on how to fix?

0 Karma
Reply

woodcock
Esteemed Legend
‎09-02-2017 05:40 PM

You approach is sound so you have a bug somewhere. This analogous run-anywhere example shows that it works:

index=_* sourcetype=*splunk* OR sourcetype=*web* 
| rename sourcetype AS Device 
| eval Point_Name="ActFlow" 
| eval Value=random() 
| bin span=15m _time 
| stats last(Value) as AirFlow by Device, _time 
| appendcols 
    [| search index=_* sourcetype=*splunk* OR sourcetype=*web* 
    | rename sourcetype AS Device 
    | eval Point_Name="ActFlowSP" 
    | eval Value=random() 
    | bin span=15m _time 
    | stats last(Value) as Setpoint by Device, _time] 
| eval difference = (1 - (Setpoint/AirFlow)) 
| where difference > .2 
| fields _time, Device, difference

The problem is probably that you have "holes" in your 15-minute buckets. Let's use timechart, which has the handy benefit of building empty buckets, to our advantage. Does this work for you (You must still beware divide-by-zero)?

index="XXXXXXXXXX" Device="*FPB*" OR Device="*VAV*" Point_Name="ActFlow"
| timechart span=15m last(Value) AS AirFlow BY Device
| untable _time Device AirFlow
| appendcols 
    [| search index="XXXXXXXXXX" Device="*FPB*" OR Device="*VAV*" Point_Name="ActFlowSP"
    | timechart span=15m last(Value) AS Setpoint BY Device
    | untable _time Device Setpoint] 
| eval difference = (1 - (Setpoint/AirFlow)) 
| where difference > .2 
| fields _time, Device, difference
0 Karma
Reply

somesoni2
Revered Legend
‎08-31-2017 11:04 AM

The appendcols doesn't do grouping/join, it just places columns/rows from two queries side by side (this can shed some light). I would suggest trying like this (avoiding append-subsearch altogether).

index="XXXXXXXXXX" Device="*FPB*" OR Device="*VAV*" Point_Name="ActFlow" OR Point_Name="ActFlowSP"
| eval AirFlow=if(Point_Name="ActFlow",Value,null())
| eval Setpoint=if(Point_Name="ActFlowSP",Value,null()
|bin span=15m _time
 |stats last(AirFlow) as AirFlow last(Setpoint) as Setpoint by Device, _time
|eval difference = (1 - (Setpoint/AirFlow))
 |where difference > .2
|fields _time, Device, difference
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...