Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to combine multiple queries into one?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine multiple queries into one?
vintik
Engager
09-06-2018
01:18 AM
Hello,
I have multiple queries with small differences, is it possible to combine them?
Here is example:
index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1) | eval duration=span_duration/1000 | stats p99(duration)
index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName2 OR span_name=SomeSpanName3) | eval duration=span_duration/1000 | stats p99(duration)
index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName4) | eval duration=span_duration/1000 | stats p99(duration)
The result of each query is only one column p99(duration) with value.
Is it possible to combine these queries and get a result with three columns with different names (I need to know the correspondence of each column to the condition)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HiroshiSatoh
Champion
09-06-2018
02:08 AM
Try this!
index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1 OR span_name=SomeSpanName2 OR span_name=SomeSpanName3 OR span_name=SomeSpanName4)
| eval duration=span_duration/1000 | stats p99(duration) by span_name
| transpose header_field=span_name| fields - column
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harsmarvania57
Ultra Champion
09-06-2018
01:35 AM
Hi @vintik,
Please try below query.
index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1 OR span_name=SomeSpanName2 OR span_name=SomeSpanName3 OR span_name=SomeSpanName4)
| eval duration=span_duration/1000
| stats p99(eval(if(span_name="SomeSpanName1",duration,0))) AS p99_Span1, p99(eval(if(span_name="SomeSpanName2" OR span_name="SomeSpanName3",duration,0))) AS p99_Span2_3, p99(eval(if(span_name="SomeSpanName4",duration,0))) AS p99_Span4
I have created run anywhere search as below which gives me correct result.
| makeresults | eval span_name="SomeSpanName1", span_duration="1001"
| append [ makeresults | eval span_name="SomeSpanName2", span_duration="2001" ]
| append [ makeresults | eval span_name="SomeSpanName3", span_duration="3001" ]
| append [ makeresults | eval span_name="SomeSpanName4", span_duration="4001" ]
| eval duration=span_duration/1000
| stats p99(eval(if(span_name="SomeSpanName1",duration,0))) AS p99_Span1, p99(eval(if(span_name="SomeSpanName2" OR span_name="SomeSpanName3",duration,0))) AS p99_Span2_3, p99(eval(if(span_name="SomeSpanName4",duration,0))) AS p99_Span4
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
