Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Combining fields from 2 sourcetypes in a stats...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combining fields from 2 sourcetypes in a stats block
All,
my query below just returns the values from the first sourcetype (first 3 lines in |stats). The fields from the second sourcetype seems that are not being loaded.
Any clue? I`m sure is something really simple but I can not see it:
index=uberagent (sourcetype=uberAgent:Application:SoftwareUpdateInventory host=*) OR sourcetype=uberAgent:System:SystemPerformanceSummary2
| stats
latest(DisplayName) as "Patch Name"
latest(ProductName) as "Product name"
values(State) as State
avg(CPUUsagePercent) as "CPU"
avg(RAMUsagePercent) as "RAM"
avg(IOPercentDiskTime) as "IO"
by host, InstallDate
| rename host as "Machine Name"
| mvexpand InstallDate
| mvexpand host
| eval "% of CPU" = round((CPU),2)
| eval "% of RAM" = round((CPU),2)
| eval "% of IO" = round((CPU),2)
| eval sortfield=lower(InstallDate)
| table
InstallDate
"Machine Name"
"Patch Name"
"Product name"
State
"% of CPU"
"% of RAM"
"% of IO"
sortfield
| sort limit=0 sortfield
| fields - sortfield
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The solution was to have the data from sourcetype 2 exported to a file and then using a lookup with sourcetype 1.
It works like a charm! The only thing is that I from time to time I need to run the export search to update the file.
Thank you renjithnair for help me on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to add: My ultimate goal is to have a list with the KBs installed on the machines and the avg resource used on that day. Trying to find any outstanding value during the patching process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have host & InstallDate fields in sourcetype=uberAgent:System:SystemPerformanceSummary2 and are non null?
Try the below and see if you have some events in common.
index=uberagent (sourcetype=uberAgent:Application:SoftwareUpdateInventory host=*) OR sourcetype=uberAgent:System:SystemPerformanceSummary2
|stats dc(sourcetype) as c by host,InstallDate |where c>1
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course! that is the point! 🙂
The InstallDate is not on sourcetype 2.
Said that, I need my calculations based on the InstallDate values.
How can I do that?
Maybe in this case I should use the JOIN with HOST field that is common to both?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can not really say without seeing the events. But you may try including the InstallDate in existing stats as values(InstallDate ) as InstallDate . In between, in the currrent search are you getting host and InstallDate as multivalue field or wha'ts the use of mvexpand host and mvexpand InstallDate ?
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for you help on this!
I`ve tried to use values(InstallDate ) as InstallDate in the current stats but got the following error:
Error in 'stats' command: The output field 'InstallDate' cannot have the same name as a group-by field.
if use a separated stats, nothing comes up.
About the mvexpand, I`m using because was the way a found to get the same result as the splitrow in pivot.
See below an example of the events:
InstallDate Machine Name Patch Name ProducName %of CPU %of RAM % of IO
2018-01-01 KB1234 Office
2018-01-01 KB1234 Office
2018-01-02 KB1234 Office
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
values(InstallDate ) as InstallDate by host (exclude the InstallDate from by clause)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
InstallDate Machine Name Patch Name ProducName %of CPU %of RAM % of IO
2018-01-01 SERVERA KB1234 Office null null null
2018-01-01 SERVERB KB1234 Office null null null
2018-01-02 SERVERC KB1234 Office null null null
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!
Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern
