Solved: How to join two searches?

skphi13 · ‎07-26-2018

I need help joining the following 2 searches.

Search 1:

app="atlas" source="/usr/local/homeaway/atlas-production/logs/*" index="aws_prod_applogs" titan | stats avg(*responseTime) by date_mday

Search 2:

app="atlas" source="/usr/local/homeaway/atlas-production/logs/*" index="aws_prod_applogs" titan statusCode=200 | stats avg(*responseTime) by date_mday

I tried using Join and Append but it's no working.

jplumsdaine22 · ‎07-26-2018

Assuming all your events have a status code, you can do it one:

app="atlas" source="/usr/local/homeaway/atlas-production/logs/*" index="aws_prod_applogs" titan statusCode=* 
|  eventstats sum(*responseTime) as total* count as count_events by date_mday
|  where status=200
| stats max(total*) as total* max(count_events) as count_events avg(*responseTime) as avg_*responseTime_200 by status date_mday
|  foreach total* 
    [eval <<FIELD>>=<<FIELD>>/count_events]
|  rename total* as avg*_all_status

View solution in original post

jplumsdaine22 · ‎07-27-2018

You should see something like this:

jplumsdaine22 · ‎07-26-2018

Assuming all your events have a status code, you can do it one:

app="atlas" source="/usr/local/homeaway/atlas-production/logs/*" index="aws_prod_applogs" titan statusCode=* 
|  eventstats sum(*responseTime) as total* count as count_events by date_mday
|  where status=200
| stats max(total*) as total* max(count_events) as count_events avg(*responseTime) as avg_*responseTime_200 by status date_mday
|  foreach total* 
    [eval <<FIELD>>=<<FIELD>>/count_events]
|  rename total* as avg*_all_status

skphi13 · ‎07-27-2018

this is what i get

skphi13 · ‎07-27-2018

Yes all event should have a status code. When i tried running this, nothing shows up.

jplumsdaine22 · ‎07-27-2018

Ah sorry in my test search I had just status. Change status to statsCode and you should be good to go

skphi13 · ‎07-27-2018

so it does return events but no statistics or visualization.

jplumsdaine22 · ‎07-27-2018

Er that has a stats command in there, it can't return events unless you're running in verbose mode, in which case just switch to the relevant tab

skphi13 · ‎07-27-2018

i switch it to smart mode and ran the search again and nothing. I even change the timeframe to the last 7 days. I have posted the picture of the results but it's awaiting moderator approval.

skphi13 · ‎07-27-2018

it's showing 0 events, but i know that's incorrect

jplumsdaine22 · ‎07-27-2018

OK, step back through the search.

ie I assume you get events for this:

 app="atlas" source="/usr/local/homeaway/atlas-production/logs/*" index="aws_prod_applogs" titan statusCode=*

So just keep adding the search commands until you find the one that breaks it. Most likely it is a misnamed field

skphi13 · ‎07-27-2018

so i ran the following in smart mode

app="atlas" source="/usr/local/homeaway/atlas-production/logs/" index="aws_prod_applogs" titan statusCode= | eventstats sum(responseTime) as total count as count_events by date_mday

It returns a bunch of events but no stats...

jplumsdaine22 · ‎07-27-2018

Eventstats will add the stats to each event - this is so you can calculate the averages of all events even after dropping the others

skphi13 · ‎07-27-2018

yea so when i ran the serach with eventstats no statistics show up in the results. But when i ran it with stats the statistics shows up in the result.

jplumsdaine22 · ‎07-27-2018

See in the stats command you have by status

Change that to statusCode

skphi13 · ‎07-27-2018

it works! thanks for pointing out that small details.

hortonew · ‎07-26-2018

I believe with stats you need appendcols not append. For instance:

| appendcols [search app="atlas" source="/usr/local/homeaway/atlas-production/logs/*" index="aws_prod_applogs" titan statusCode=200 | stats avg(*responseTime) by date_mday]

How to join two searches?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?