Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine my two tstats searches?

abbam
Explorer
‎04-04-2016 01:55 AM

Hi,

Wondering if someone could help me here, I'm trying to join two tstats searches together.

I basically want to get a result 120 minutes ago and a result for the last 60 minutes based on hosts.

Here is the search:

| tstats summariesonly=t prestats=t count as old from datamodel=Web WHERE earliest=-120m latest=-60m by host | stats count as old by host | tstats summariesonly=t prestats=t append=t count as new from datamodel=Web WHERE earliest=-60m latest=now by host | stats count as new by host

Any idea why this doesn't work?

Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-04-2016 08:26 AM

Try like this

| tstats summariesonly=t prestats=t count from datamodel=Web WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart sum(count) over host by Period

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-04-2016 08:26 AM

Try like this

| tstats summariesonly=t prestats=t count from datamodel=Web WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart sum(count) over host by Period
Reply
Solved! Jump to solution

abbam
Explorer
‎04-05-2016 03:00 AM

Thanks for that.

Afraid it doesn't work. sum(count) has no values, but I know there are numbers there because I can do it without using the datamodel.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-05-2016 03:03 AM

Maybe this will help https://answers.splunk.com/answers/215346/best-practices-to-join-two-child-objects-of-a-data.html ?

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

abbam
Explorer
‎04-05-2016 03:01 AM

Managed to fix it by,

| tstats summariesonly=t prestats=t count from datamodel=Matin WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart count over host by Period

Thanks!!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...