Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I merge two queries using MAP or any other command?

saurabhrai_it
Explorer
‎11-26-2018 10:46 PM

I have 2 queries!

Query 1: Find top 10 API using top command

eg : 

index="some_index" "abc.def.operation"=* | rename "abc.def.operation" as Operation | top limit=10 Operation

Query 2: Find peak hour and the response time of each API

eg : 

index="some_index" "abc.def.operation"=API_NAME |timechart span="1h" avg("abc.def.responseTime") as ResTime, count by index| rename "ResTime: some_index" as avg_res_time, "count: some_index" as NumberOfOccurence | sort - NumberOfOccurence | head 1 | eval avg_res_time=(round(avg_res_time,2)) | eval _time=strftime(_time, "%m/%d/%y %I:%M") | rename avg_res_time as AverageResponseTime(ms), _time as "PeakTime" | eval API=tostring("API_NAME ") | table API PeakTime NumberOfOccurence AverageResponseTime(ms)

The above queries are working fine. But, I have to change the API_NAME every time when I get the result.

When I tried to map the query 1 with query 2 

index="some_index" | rename "abc.def.operation" as Operation | top limit=4 Operation| map search="search index="some_index" "abc.def.operation"=$Operation$ |timechart span="1m" avg("abc.def.responseTime") as ResTime, count by index| rename "ResTime: some_index" as avg_res_time, "count: some_index" as NumberOfOccurence | sort - NumberOfOccurence | head 1 | eval avg_res_time=(round(avg_res_time,2)) | eval _time=strftime(_time, "%m/%d/%y %I:%M") | rename avg_res_time as AverageResponseTime(ms), _time as "PeakTime" | eval API=tostring("$Operation$") | table API PeakTime NumberOfOccurence AverageResponseTime(ms)"

I am getting error Unable to run query (Whole SUBQUERY) .
I tried a lot, but no luck. I will be grateful for any help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

saurabhrai_it
Explorer
‎02-05-2019 05:13 AM

I used below query which is working fine but counts are getting differed from the manual one.

index="$env$" logger_name="abc.def.RequestOutInterceptor" 
 | rename "abc.def.operation" as Operation 
 | top limit=$api_count$ Operation
 | eval map_env = "$env$"
 | eval _time=strftime(_time, "%m/%d/%y %I:%M") 
 | map maxsearches=$api_count$ search="search index=$$map_env$$ "abc.def.operation"=$$Operation$$ logger_name="abc.def.RequestOutInterceptor" 
 | bucket _time span="1h"\
 | stats avg("abc.def.responseTime") as ResTime, count by abc.def.operation _time 
 | sort - count 
 | head 1 "
 | eval ResTime=(round(ResTime,2)) 
 | rename ResTime as "Average Response Time(ms)",abc.def.operation as "Operation", count as "Operation Count"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

saurabhrai_it
Explorer
‎02-05-2019 05:13 AM

I used below query which is working fine but counts are getting differed from the manual one.

index="$env$" logger_name="abc.def.RequestOutInterceptor" 
 | rename "abc.def.operation" as Operation 
 | top limit=$api_count$ Operation
 | eval map_env = "$env$"
 | eval _time=strftime(_time, "%m/%d/%y %I:%M") 
 | map maxsearches=$api_count$ search="search index=$$map_env$$ "abc.def.operation"=$$Operation$$ logger_name="abc.def.RequestOutInterceptor" 
 | bucket _time span="1h"\
 | stats avg("abc.def.responseTime") as ResTime, count by abc.def.operation _time 
 | sort - count 
 | head 1 "
 | eval ResTime=(round(ResTime,2)) 
 | rename ResTime as "Average Response Time(ms)",abc.def.operation as "Operation", count as "Operation Count"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-08-2018 01:59 PM

I am not at all saying that you are doing the right thing the right way (quite probably you are not) but for the purposes of education, there are 2 problems with your search:

1: You are not escaping your double-quotes.
2: You are not properly protecting your field names that have periods in them so that the periods are not interpreted as concatenation operators.

Try this:

index="some_index"
| rename "abc.def.operation" as Operation
| top limit=4 Operation
| map search="search index=\"some_index\" \"abc.def.operation\"=$Operation$
| timechart span=1m avg(abc.def.responseTime) AS avg_res_time, count AS NumberOfOccurence
| sort 1 - NumberOfOccurence
| eval \"AverageResponseTime(ms)\" = round(avg_res_time, 2)
| eval PeakTime = strftime(_time, \"%m/%d/%y %I:%M\")
| eval API=tostring("$Operation$")
| table API PeakTime NumberOfOccurence AverageResponseTime*"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-02-2019 01:00 PM

@saurabhrai_it, did you try any answers? What is your situation?

0 Karma
Reply
Solved! Jump to solution

saurabhrai_it
Explorer
‎02-03-2019 10:21 PM

The provided answers were not working, may be I hadn't done it right.

I ended up with below query;

index="$env$" logger_name="abc.def.RequestOutInterceptor" 
| rename "abc.def.operation" as Operation 
| top limit=$api_count$ Operation
| eval map_env = "$env$"
| eval _time=strftime(_time, "%m/%d/%y %I:%M") 
| map maxsearches=$api_count$ search="search index=$$map_env$$ "abc.def.operation"=$$Operation$$ logger_name="abc.def.RequestOutInterceptor" 
| bucket _time span="1h"\
| stats avg("abc.def.responseTime") as ResTime, count by abc.def.operation _time 
| sort - count 
| head 1 "
| eval ResTime=(round(ResTime,2)) 
| rename ResTime as "Average Response Time(ms)",abc.def.operation as "Operation", count as "Operation Count"

But the thing is, I am now getting different(less count to be precise) count using the above query.
I tried all MODE from the search but I got different counts.
So, I just started doing my manual work on this as its once in a while task.
Thanks for your concern.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-04-2019 01:04 PM

If I am understanding you correctly, you have an answer that works well enough. If it is one of these, then click Accept to close the question. If not, post your answer yourself and Accept yours.

0 Karma
Reply
Solved! Jump to solution

saurabhrai_it
Explorer
‎02-05-2019 05:15 AM

Many thanks, will do the same

0 Karma
Reply
Solved! Jump to solution

felipesewaybric
Contributor
‎12-06-2018 11:14 AM

you can use like:

index="index" [search index="index" earliest=X | top keyX | table keyX]

is like

index="index" (keyX=1 OR keyX=2 OR keyX=N)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2018 04:02 AM

Have you tried using a subsearch to get the top operations?

index="some_index" [index="some_index" "abc.def.operation"=* | top limit=10 Operation | fields abc.def.operation | format ] |timechart span="1h" avg("abc.def.responseTime") as ResTime, count by index| rename "ResTime: some_index" as avg_res_time, "count: some_index" as NumberOfOccurence | sort - NumberOfOccurence | head 1 | eval avg_res_time=(round(avg_res_time,2)) | eval _time=strftime(_time, "%m/%d/%y %I:%M") | rename avg_res_time as AverageResponseTime(ms), _time as "PeakTime" | eval API=tostring("API_NAME ") | table API PeakTime NumberOfOccurence AverageResponseTime(ms)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...