- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
splunk Version 6.5.0
I try to combine 2 seaches and get 1 result of them, I tried the following without any success, maybe it's only wrong syntax I used:
index=rabbitmq | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Total | join [index=rabbitmq earliest=-60 | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Online] | eval difference=Total-Online
also I tried:
index=rabbitmq | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Total | append [index=rabbitmq earliest=-60 | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Online] | eval difference=Total-Online
What did I wrong?
Thanks for your tips and answers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A few things: I don't understand what you're trying to do with the first 2 stats() commands. A count of properties_key? Maybe you want to use dc()? I'm leaving it as is, mostly. In any case, the first 2 search terms can definitely come together, and the table command doesn't do anything for you. When you have a sub search, you must explicitly declare the search command to use -- in this case, search. But I don't see that you're "join"ing any data. Probably appendcols is what you want?
index=rabbitmq properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Total | appendcols [search index=rabbitmq earliest=-60 properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Online] | eval difference=Total-Online
I hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A few things: I don't understand what you're trying to do with the first 2 stats() commands. A count of properties_key? Maybe you want to use dc()? I'm leaving it as is, mostly. In any case, the first 2 search terms can definitely come together, and the table command doesn't do anything for you. When you have a sub search, you must explicitly declare the search command to use -- in this case, search. But I don't see that you're "join"ing any data. Probably appendcols is what you want?
index=rabbitmq properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Total | appendcols [search index=rabbitmq earliest=-60 properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Online] | eval difference=Total-Online
I hope this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the dc() and table hint, I'll check it.
Your adapted search is working with appendcols.
