Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to combine my 2 searches?

bosch_softtec
Explorer
โ€Ž12-14-2016 07:00 AM

Hi,

splunk Version 6.5.0

I try to combine 2 seaches and get 1 result of them, I tried the following without any success, maybe it's only wrong syntax I used:

index=rabbitmq | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Total | join [index=rabbitmq earliest=-60 | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Online] | eval difference=Total-Online

also I tried:

index=rabbitmq | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Total | append [index=rabbitmq earliest=-60 | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Online] | eval difference=Total-Online

What did I wrong?

Thanks for your tips and answers

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twinspop
Influencer
โ€Ž12-14-2016 07:14 AM

A few things: I don't understand what you're trying to do with the first 2 stats() commands. A count of properties_key? Maybe you want to use dc()? I'm leaving it as is, mostly. In any case, the first 2 search terms can definitely come together, and the table command doesn't do anything for you. When you have a sub search, you must explicitly declare the search command to use -- in this case, search. But I don't see that you're "join"ing any data. Probably appendcols is what you want?

index=rabbitmq properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Total | appendcols [search index=rabbitmq earliest=-60 properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Online] | eval difference=Total-Online

I hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

twinspop
Influencer
โ€Ž12-14-2016 07:14 AM

A few things: I don't understand what you're trying to do with the first 2 stats() commands. A count of properties_key? Maybe you want to use dc()? I'm leaving it as is, mostly. In any case, the first 2 search terms can definitely come together, and the table command doesn't do anything for you. When you have a sub search, you must explicitly declare the search command to use -- in this case, search. But I don't see that you're "join"ing any data. Probably appendcols is what you want?

index=rabbitmq properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Total | appendcols [search index=rabbitmq earliest=-60 properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Online] | eval difference=Total-Online

I hope this helps.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bosch_softtec
Explorer
โ€Ž12-14-2016 07:32 AM

Thanks for the dc() and table hint, I'll check it.
Your adapted search is working with appendcols.

0 Karma
Reply