Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to display last 24 hours data with query?

geetanjali
Path Finder
‎05-17-2011 06:26 AM

Hi,
i have my results :

Host | max(usage)

ABC | 100

xyz | 200

I want to add new column in table with max(usage) in last 24 hours by host.

| Max usage (last 24 hours)

| 90

| 200

I am using following query :
index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | stats max(Power_consumption) by host ]| chart max(Power_consumption) over host

Following error occur wit the query:-
[subsearch]: Your timerange was substituted based on your search string

If any body knows the solution, please let me know.

Thanks in advance.

Tags (1)
0 Karma
Reply

OL
Communicator
‎05-17-2011 06:54 AM

By the way, have you tried the eventstats function? It attaches a summary statistics to each event.

Regards,
Olivier

Reply

MarioM
Motivator
‎05-17-2011 06:59 AM

Olivier is right eventstats might be a more appropriate command than "join" i suggested to you in another thread

0 Karma
Reply

OL
Communicator
‎05-17-2011 06:45 AM

Hello,

I don't have the answer, but I can see a problem with the join function. It needs the field-list parameter as you can see in http://www.splunk.com/base/Documentation/latest/SearchReference/Join. In other word, you need to join your subsearch to something and the "field-list" is the common link between both search.

Hope it helps.

Regards,
Olivier

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...