Splunk Search

Combining a stats search and normal search

shellnight
Explorer

Is there a query to combine 2 searches a running normal search and stats search and display a single output on the dashboard

For eg

Normal search
index=server event-type=diskfailure earliest=-24h

AND
Stats search
index=server event-type=high mem-ultilzation | stats count by hostname | where count > 3

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

I'm not sure how you'd like to combine the two, so here's one way of achieving a combination:

index=server event-type="diskfailure" OR event-type="high mem-utilization" | stats count by hostname event-type

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

I'm not sure how you'd like to combine the two, so here's one way of achieving a combination:

index=server event-type="diskfailure" OR event-type="high mem-utilization" | stats count by hostname event-type

shellnight
Explorer

hello martin

can you give an update on this

Thanks a lot for your help in advance

0 Karma

shellnight
Explorer

Hi martin ,

Need your help again .The count provided for the event with the threshold value is incorrect.
It gives the value as 1 with a flat sparkline , when there were 5 actually occurences in an hour

I need the count to be displayed as 5 and not as 1

Lets assume There were totally 10 events in 24 hr period. the final table should be like below

Eventname count

Event 1 -1
Event 2- 1
Event 30 the threshold event where count exceeds 3 in an hour - 5
event 4 .. -1

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Wonderful.

0 Karma

shellnight
Explorer

Thanks a lot for your help , Martin.

I am now able to get the results that I wanted

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

OR is the logical OR operator, yielding true if at least one of its operands is true.

http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/where

0 Karma

shellnight
Explorer

Now i lost the results of the stats search for 2nd eventtype,2nd eventype , high mem utization. What does function operator OR do here

Maybe i am doing something wrong , can you post the entire query here

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That's exactly what this does, it leaves the disk alone and filters the other event type. If you have more than one non-filtered event type you can also use this:

... | where NOT event-type="high mem-utilization" OR count > 3
0 Karma

shellnight
Explorer

Martin, i need to filter by count only for 2nd eventype , high mem utization. all the other eventypes need to be as they are

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Be smarter about your where condition then:

... | where event-type="diskfailure" OR count > 3

That'll keep all diskfailure results and filter by count for the rest.

0 Karma

shellnight
Explorer

I added where count > 3 and it removes all the results of the first eventtype whose count is less than 3
I need this to be applied only to the 2nd eventtype, not to the first eventtype

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can add any where command after the stats to filter by whatever you need.

0 Karma

shellnight
Explorer

It still show results where count is less than 3 , is there a way to filter them out from the table

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

It's right in the answer I first posted, see stats count by hostname event-type.

0 Karma

shellnight
Explorer

Hi martin , please let me know the query to group by event type to be able to distinguish between the two

0 Karma

shellnight
Explorer

Hi martin , please let me know the query to group by event type to be able to distinguish between the two

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Please start using the comment function to post comments rather than posting comments as an answer.

You're seeing weird results because you're running a second stats over partial raw data and partial stats data. You'll want to group by event type to be able to distinguish between the two, which leads you back to my original search.

shellnight
Explorer

I have added the pipe but i am seeing results of the second eventtype
where count has not exceeded threshold of 3 in an hour

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There's a pipe missing before the last stats.

0 Karma

shellnight
Explorer

I am not able to run a stats command in the end

index=server event-type=diskfailure earliest=-24h | append [index=server event-type=high mem-ultilzation | stats count by hostname | where count > 3] stats count by hostname

It gives the error
Error in 'append' command: The last argument must be a subsearch.

0 Karma
Get Updates on the Splunk Community!

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...