Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine my 2 searches?

bosch_softtec
Path Finder
‎12-14-2016 07:00 AM

Hi,

splunk Version 6.5.0

I try to combine 2 seaches and get 1 result of them, I tried the following without any success, maybe it's only wrong syntax I used:

index=rabbitmq | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Total | join [index=rabbitmq earliest=-60 | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Online] | eval difference=Total-Online

also I tried:

index=rabbitmq | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Total | append [index=rabbitmq earliest=-60 | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Online] | eval difference=Total-Online

What did I wrong?

Thanks for your tips and answers

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twinspop
Influencer
‎12-14-2016 07:14 AM

A few things: I don't understand what you're trying to do with the first 2 stats() commands. A count of properties_key? Maybe you want to use dc()? I'm leaving it as is, mostly. In any case, the first 2 search terms can definitely come together, and the table command doesn't do anything for you. When you have a sub search, you must explicitly declare the search command to use -- in this case, search. But I don't see that you're "join"ing any data. Probably appendcols is what you want?

index=rabbitmq properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Total | appendcols [search index=rabbitmq earliest=-60 properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Online] | eval difference=Total-Online

I hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

twinspop
Influencer
‎12-14-2016 07:14 AM

A few things: I don't understand what you're trying to do with the first 2 stats() commands. A count of properties_key? Maybe you want to use dc()? I'm leaving it as is, mostly. In any case, the first 2 search terms can definitely come together, and the table command doesn't do anything for you. When you have a sub search, you must explicitly declare the search command to use -- in this case, search. But I don't see that you're "join"ing any data. Probably appendcols is what you want?

index=rabbitmq properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Total | appendcols [search index=rabbitmq earliest=-60 properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Online] | eval difference=Total-Online

I hope this helps.

0 Karma
Reply
Solved! Jump to solution

bosch_softtec
Path Finder
‎12-14-2016 07:32 AM

Thanks for the dc() and table hint, I'll check it.
Your adapted search is working with appendcols.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

It’s go time — Boston, here we come!

Are you ready to take your Splunk skills to the next level? Get set, because Splunk University is back, and ...

Performance Tuning the Platform, SPL2 Templates, and More New Articles on Splunk ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top