Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine multiple chart queries into one?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine multiple chart queries into one?
Hello splunk community. As on today we have two queries that are running
Count of api grouped by apiName and status
index=aws* api.metaData.pid="myAppName"
| rename api.p as apiName
| chart count BY apiName "api.metaData.status"
| multikv forceheader=1
| table apiName success error NULL
Which displays a table something like shown below
=====================================
| apiName || success || error || NULL. |
====================================
| Test1 || 10 || 20. || 0 |
| Test2 || 10 || 20. || 0 |
| Test3 || 10 || 20. || 0 |
| Test4 || 10 || 20. || 0 |
| Test5 || 10 || 20. || 0 |
| Test6 || 10 || 20. || 0 |
latency of api grouped by apiName
index=aws* api.metaData.pid="myAppName"
| rename api.p as apiName
| rename api.measures.tt as Response_Time
| chart min(Response_Time) as RT_fastest max(Response_Time) as RT_slowest by apiName
| table apiName RT_fastest RT_slowest
which displays a table something like below
Question:
If you see the above tables, both tables are grouped with apiName. Is there a way to combine these queries so that i get a single result something like this
| Test2 || 10 || 20. || 20. || 20. || 20. ||
| Test3 || 10 || 20. || 20. || 20. || 20. ||
| Test4 || 10 || 20. || 20. || 20. || 20. ||
| Test5 || 10 || 20. || 20. || 20. || 20. ||
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is essentially the same problem as has been answered here https://community.splunk.com/t5/Splunk-Search/Appending-tp99-as-a-new-column-in-the-existing-query/m... You have to do the stats which are aggregated by apiName first and concatenate it to the apiName, then do the stats which are aggregated by apiName and status, then split out the stats which were aggregated by just apiName
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
