Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a single table with results from two different queries

pedropiin
Path Finder
‎02-20-2025 04:38 AM

Hi everyone.

I'm sorry if this seems like a questions that's already been asked, but none of the answers I could find solve my problem and I'm very new to splunk.

I have a query that does lots of filtering and calculates multiple metrics such as average, max, count on conditions and etc. I used to run this query twice, creating two different tables, as I need to compare two different applications based on the same metrics. But now I need to do this using only one table. 

My query is of the form 

index=... payload.appName=app1
| bin span=1d _time
| stats ...
| eval ...
| where ...
| sort ...
| streamstats ...
| eval ...
| stats avg(...) as avg_app1
  max(...) as max_app1
  count(...) as count1_app1
  count(...) as count2_app1
  by _time
| rename avg_app1 as "Average App 1"
  ...
| fields "Average App 1" ...

This would give a table with all my metrics for app1 and I would have, simultaneously, another similar query for the app2, resulting in a different table. 

I need to create a single table of the form:

"Average App 1" | "Average App 2" | "Max App 1" | "Max App 2" | "Count App 1"...

It's important to note that using, for example, "multisearch", gives me the error "Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command)".

How could I do this?

Thank you in advance

Labels (4)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-20-2025 06:04 AM

Search for both apps at the same time and let the stats commands sort them out.

index=... (payload.appName=app1 OR payload.appName=app2)
| bin span=1d _time
| rename payload.appName as appName
| stats ... by appName
| eval ...
| where ...
| sort ...
| streamstats ... by appName
| eval ...
| stats avg(...) as avg_app1
  max(...) as max_app1
  count(...) as count1_app1
  count(...) as count2_app1
  by _time appName
| rename avg_app1 as "Average App 1"
  ...
| fields "Average App 1" ...
---
If this reply helps you, Karma would be appreciated.
Reply

pedropiin
Path Finder
‎02-20-2025 06:23 AM

Thank you for your response!

It definitely works, but it has two issues, both related to each other:
1) It gives two row, instead of adding columns. Running the query for only one app, gives me one row per date, in which the metrics are the columns. Using your strategy gives me two rows per date, one for each app. Is it possible to set the metrics side-by-side as different columns? Having two rows is a problem as, in theory, the user should be able to compare both applications for a range of, let's say, 1 month. So having two rows per day and making the user compare between pairs of rows while in the middle of other 58 makes it confusing.

2) Related to the last topic, how would I rename them? Because as this strategy gives me two rows, the distinction between the apps is based on identifying which row corresponds to each app. Would it be possible to rename the metrics in such way that I have "Average App 1" and "Average App 2"?



0 Karma
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top