Splunk Search

How To Join Results From Multiple Searches

theironcook
Explorer

I'm trying to create a simple control chart (where I show a line 3 standard deviations away from the mean). I just need to calculate what the standard deviation is for my entire set of data, multiply by 3 and plot the line along with my data.

Originally I tried to use a pivot because I used DataSets for speed but eventually gave up.

Now I'm trying the search syntax and it appears like the "append" command is what I need.

host=serverName sourcetype=http_access_log | append [search host=serverName sourcetype=http_access_log | stats stdev(ResponseTime) as TotalStdDev] | table _time host ResponseTime TotalStdDev

I'm just trying to generate a simple table to start with that has the TotalStdDev copied for each entry. Maybe then I can start aggregating based on days. But I can't even get the total standard deviation for the entire data set into my table.

Any suggestions out there?
Thanks,

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

host=serverName sourcetype=http_access_log | eventstats stdev(ResponseTime) as TotalStdDev | table _time host ResponseTime TotalStdDev

View solution in original post

somesoni2
Revered Legend

Give this a try

host=serverName sourcetype=http_access_log | eventstats stdev(ResponseTime) as TotalStdDev | table _time host ResponseTime TotalStdDev

theironcook
Explorer

Nice! Thanks MuS and somesoni2!
I went with the eventstats option. It works beautifully.

0 Karma

MuS
Legend

Hi theironcook,

take a look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... it provides some examples how it can be done. The answer is not limited to two source ... it can be applied to endless events.

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...