Re: How to combine multiple queries into one?

vintik · ‎09-06-2018

Hello,

I have multiple queries with small differences, is it possible to combine them?

Here is example:

index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1)  | eval duration=span_duration/1000 | stats p99(duration)

index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName2 OR span_name=SomeSpanName3)  | eval duration=span_duration/1000 | stats p99(duration)

index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName4)  | eval duration=span_duration/1000 | stats p99(duration)

The result of each query is only one column p99(duration) with value.

Is it possible to combine these queries and get a result with three columns with different names (I need to know the correspondence of each column to the condition)?

HiroshiSatoh · ‎09-06-2018

Try this!

 index=some_index sourcetype=some_source host=*host*  (span_name=SomeSpanName1 OR span_name=SomeSpanName2 OR span_name=SomeSpanName3 OR span_name=SomeSpanName4)
| eval duration=span_duration/1000 | stats p99(duration)  by span_name
| transpose header_field=span_name| fields - column

harsmarvania57 · ‎09-06-2018

Hi @vintik,

Please try below query.

index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1 OR span_name=SomeSpanName2 OR span_name=SomeSpanName3 OR span_name=SomeSpanName4)
| eval duration=span_duration/1000
| stats p99(eval(if(span_name="SomeSpanName1",duration,0))) AS p99_Span1, p99(eval(if(span_name="SomeSpanName2" OR span_name="SomeSpanName3",duration,0))) AS p99_Span2_3, p99(eval(if(span_name="SomeSpanName4",duration,0))) AS p99_Span4

I have created run anywhere search as below which gives me correct result.

| makeresults | eval span_name="SomeSpanName1", span_duration="1001"
| append [ makeresults | eval span_name="SomeSpanName2", span_duration="2001" ]
| append [ makeresults | eval span_name="SomeSpanName3", span_duration="3001" ]
| append [ makeresults | eval span_name="SomeSpanName4", span_duration="4001" ]
| eval duration=span_duration/1000
| stats p99(eval(if(span_name="SomeSpanName1",duration,0))) AS p99_Span1, p99(eval(if(span_name="SomeSpanName2" OR span_name="SomeSpanName3",duration,0))) AS p99_Span2_3, p99(eval(if(span_name="SomeSpanName4",duration,0))) AS p99_Span4

How to combine multiple queries into one?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to combine multiple queries into one?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?