Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine multiple chart queries into one?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine multiple chart queries into one?
VikhyathMaiya
Explorer
02-18-2022
07:39 AM
Hello splunk community. As on today we have two queries that are running
Count of api grouped by apiName and status
index=aws* api.metaData.pid="myAppName"
| rename api.p as apiName
| chart count BY apiName "api.metaData.status"
| multikv forceheader=1
| table apiName success error NULL
Which displays a table something like shown below
=====================================
| apiName || success || error || NULL. |
====================================
| Test1 || 10 || 20. || 0 |
| Test2 || 10 || 20. || 0 |
| Test3 || 10 || 20. || 0 |
| Test4 || 10 || 20. || 0 |
| Test5 || 10 || 20. || 0 |
| Test6 || 10 || 20. || 0 |
latency of api grouped by apiName
index=aws* api.metaData.pid="myAppName"
| rename api.p as apiName
| rename api.measures.tt as Response_Time
| chart min(Response_Time) as RT_fastest max(Response_Time) as RT_slowest by apiName
| table apiName RT_fastest RT_slowest
which displays a table something like below
==================================
| apiName || RT_fastest || RT_slowest
==================================
| Test1 || 10 || 20. |
| Test2 || 10 || 20. |
| Test3 || 10 || 20. |
| Test4 || 10 || 20. |
| Test5 || 10 || 20. |
| Test6 || 10 || 20. |
Question:
If you see the above tables, both tables are grouped with apiName. Is there a way to combine these queries so that i get a single result something like this
I could not find any documentation regarding combining multiple chart query into one. Could someone please help me with this. Thanks 🙂
Question:
If you see the above tables, both tables are grouped with apiName. Is there a way to combine these queries so that i get a single result something like this
|===============================================
| apiName || success || error || NULL || RT_fastest. || RT_slowest |
===============================================
| Test1 || 10 || 20. || 20. || 20. || 20. ||
| Test2 || 10 || 20. || 20. || 20. || 20. ||
| Test3 || 10 || 20. || 20. || 20. || 20. ||
| Test4 || 10 || 20. || 20. || 20. || 20. ||
| Test5 || 10 || 20. || 20. || 20. || 20. ||
| Test2 || 10 || 20. || 20. || 20. || 20. ||
| Test3 || 10 || 20. || 20. || 20. || 20. ||
| Test4 || 10 || 20. || 20. || 20. || 20. ||
| Test5 || 10 || 20. || 20. || 20. || 20. ||
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
02-18-2022
08:03 AM
This is essentially the same problem as has been answered here https://community.splunk.com/t5/Splunk-Search/Appending-tp99-as-a-new-column-in-the-existing-query/m... You have to do the stats which are aggregated by apiName first and concatenate it to the apiName, then do the stats which are aggregated by apiName and status, then split out the stats which were aggregated by just apiName
Get Updates on the Splunk Community!
The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...
The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...
Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25
Hello Splunkers,
Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...
Community Spotlight: A Splunk Expert's Journey
In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
