Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display last 24 hours data with query?

geetanjali
Path Finder
‎05-17-2011 06:26 AM

Hi,
i have my results :

Host | max(usage)

ABC | 100

xyz | 200

I want to add new column in table with max(usage) in last 24 hours by host.

| Max usage (last 24 hours)

| 90

| 200

I am using following query :
index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | stats max(Power_consumption) by host ]| chart max(Power_consumption) over host

Following error occur wit the query:-
[subsearch]: Your timerange was substituted based on your search string

If any body knows the solution, please let me know.

Thanks in advance.

Tags (1)
0 Karma
Reply

OL
Communicator
‎05-17-2011 06:54 AM

By the way, have you tried the eventstats function? It attaches a summary statistics to each event.

Regards,
Olivier

Reply

MarioM
Motivator
‎05-17-2011 06:59 AM

Olivier is right eventstats might be a more appropriate command than "join" i suggested to you in another thread

0 Karma
Reply

OL
Communicator
‎05-17-2011 06:45 AM

Hello,

I don't have the answer, but I can see a problem with the join function. It needs the field-list parameter as you can see in http://www.splunk.com/base/Documentation/latest/SearchReference/Join. In other word, you need to join your subsearch to something and the "field-list" is the common link between both search.

Hope it helps.

Regards,
Olivier

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...