Re: Hi, I am facing problem with multiple subqueri...

toabhishek16 · ‎09-30-2014

Query "index=idx1 sourcetype=src1 sender="xyz" | timechart count as res1" showing results properly, and

Query "index=idx1 sourcetype=src1 sender="abc" | timechart count as res2" not showing any result.

when I am trying to combine both the queries as below:
index=idx1 sourcetype=src1 sender="xyz" | timechart count as res1 | appendcols [search index=idx1 sourcetype=src1 sender="abc" | timechart count as res2] | fillnull res1, res2

it is giving result, but no value for _time field .

how I can get values for _time field.

pls help me....

ltrand · ‎09-30-2014

Joined Query
"index=idx1 sourcetype=src1 sender="xyz" OR sender="abc" | timechart count by sender

This is significantly more efficent than the options above. It makes a single pass in the index and sourcetype to pull the data and populates the chart. Before you have to query the same data twice to pull information. Then you have to join the two results before charting.

somesoni2 · ‎09-30-2014

Try something like this

index= idx1 sourcetype=src1 sender="abc" OR sender="xyz" | timechart count(eval(sender="abc") as res1 count(eval(sender="xyz") as res2

linu1988 · ‎09-30-2014

Hello,
Rather than appending the result

just do the below

index=idx1 sourcetype=src1 OR sourcetype=src2|timechart count by sourcetype

Thanks,
L

Hi, I am facing problem with multiple subqueries in timechart. it is not showing the value for _time field.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk