How to display last 24 hours data with query?

geetanjali · ‎05-17-2011

Hi,
i have my results :

Host | max(usage)

ABC | 100

xyz | 200

I want to add new column in table with max(usage) in last 24 hours by host.

| Max usage (last 24 hours)

| 90

| 200

I am using following query :
index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | stats max(Power_consumption) by host ]| chart max(Power_consumption) over host

Following error occur wit the query:-
[subsearch]: Your timerange was substituted based on your search string

If any body knows the solution, please let me know.

Thanks in advance.

OL · ‎05-17-2011

By the way, have you tried the eventstats function? It attaches a summary statistics to each event.

Regards,
Olivier

MarioM · ‎05-17-2011

Olivier is right eventstats might be a more appropriate command than "join" i suggested to you in another thread

OL · ‎05-17-2011

Hello,

I don't have the answer, but I can see a problem with the join function. It needs the field-list parameter as you can see in http://www.splunk.com/base/Documentation/latest/SearchReference/Join. In other word, you need to join your subsearch to something and the "field-list" is the common link between both search.

Hope it helps.

Regards,
Olivier

How to display last 24 hours data with query?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor