- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combine 3 queries using a common field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combine 3 queries using a common field
Hi
I have 3 queries as below and all 3 of them have a common field "loaderId". I used join to combine their results in a table format and calculated P95 on their times. But I believe there has to be a better approach to this problem. Please let me know one.
Eg:
index=* ... | search eventSource="Page Load" | |table eventSource, duration1, loaderId | join loaderId [search
index=* ... | search eventSource="End to End Time" | table eventSource, duration2, loaderId | join loaderId [
index=* ... | search eventSource="Total Time" table eventSource, duration3, loaderId] | table eventSource, duration1, duration2, duration3, loaderId | stats perc95(duration1), perc95(duration2), perc95(duration3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this is what I am looking at. Let me try.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess the devil's in the detail with your example, as the ... in the query might be significant, however, if you have duration 1,2,3 in your data then the simple
index=* ... (eventSource="Page Load" OR eventSource="End to End Time" OR eventSource="Total Time")
| stats perc95(duration1), perc95(duration2), perc95(duration3) by loaderId
would be a start - note I split by loaderId, which I am not sure is what you want. However, if you do not have the duration fields and the '...' is part of your duration calculation, then there's no reason why you could not calculate the durations by using eval/case, something like
| eval duration1=if(eventSource="Page Load",xxx,null())
| eval duration2=if(eventSource="End to End Time",yyy,null())
| eval duration3=if(eventSource="Total Time",zzz,null())Not sure if this will get you to where you want to get to, but I would need a little more detail on your data, but hope it helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the above, but still I have some issues. Let me explain (what I missed to do above).
What I have:
I have 3 different events being generated async. with their corresponding durations. They all share a common Id called "loaderId". see eg. below
Event Source LoaderId Duration
Page Load 03904756 33.2
Page Load 03904766 23.2
Event Source LoaderId Duration
End To End 03904756 33.4
Event Source LoaderId Duration
Total Time 03904756 33.7
In the above example, you can see there are 2 events in Page Load but only 1 for the other 2.
What I want:
When I used join using LoaderId, I get the final output like below.
LoaderId "Page Load Time" "End to End Time" "Total Time"
03904756 33.2 33.4 33.7
This eliminates rows from all events where there are no duration values in any of 3 event sources.
What Happened with previous Suggestion:
When I tried to group by loaderId I see results like below
LoaderId "Page Load Time" "End to End Time" "Total Time"
03904756 33.2 33.4 33.7
03904766 23.2
I tried to remove the 2nd row by using len function or isnotnull for durations, but it didn't help. Let me know how I can get the result.
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
A Guide To Cloud Migration Success
