Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to merge 2 search in one search?

jip31
Motivator
‎03-10-2022 10:26 PM

Hello

I use 2 separate search almost identical

Now I want to merge these 2 search in one search

Here is the search

 

index=toto sourcetype="cit" type=* earliest=@d+7h latest=@d+19h 
| fields citrtt s 
| bin span=1h _time 
| search citrtt > 150 
| stats count as PbPerf by s _time 
| search PbPerf >= 2 
| timechart dc(s) as s span=1h 
| where _time < now() 
| eval time = strftime(_time, "%H:%M") 
| stats sum(s) as nbs by time 
| rename time as Heure

 

 

 

index=toto sourcetype="cit" type=* earliest=@d+7h latest=@d+19h 
| fields citnet s
| bin span=1h _time 
| search citnet > 80
| stats count as PbPerf by s _time 
| search PbPerf >= 2 
| timechart dc(s) as s span=1h 
| where _time < now() 
| eval time = strftime(_time, "%H:%M") 
| stats sum(s) as nbs by time  
| rename time as Heure

 

could you help please?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2022 12:27 AM 
index=toto sourcetype="cit" type=* earliest=@d+7h latest=@d+19h 
| fields citrtt citnet s 
| bin span=1h _time 
| stats count(eval(citrtt > 150)) as citrrt_count count(eval(citnet > 80)) as citnet_count by s _time
| stats count(eval(citrtt_count > 2)) as citrtt_s_count count(eval(citnet_count > 2)) as citnet_s_count by _time
| where _time < now() 
| eval time = strftime(_time, "%H:%M") 
| stats sum(citrtt_s_count) as nbs_citrtt sum(citnet_s_count) as nbs_citnet by time 
| rename time as Heure

View solution in original post

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎03-10-2022 10:42 PM

Hi @jip31 

please use this

index=toto sourcetype IN ("cit","ezoptima:cit") type=* earliest=@d+7h latest=@d+19h
| fields citrtt citnet s
| bin span=1h _time
| search citrtt > 150 AND citnet > 80
| stats count as PbPerf by s _time
| search PbPerf >= 2
| timechart dc(s) as s span=1h
| where _time < now()
| eval time = strftime(_time, "%H:%M")
| stats sum(s) as nbs by time
| rename time as Heure

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-10-2022 10:51 PM

hi

pearhaps I am not enough clear but I need to have 2 sum results for citrtt > 150 AND citnet > 80

for example :  time, citrtt, citnet

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 11:04 PM 
index=toto sourcetype="cit" type=* earliest=@d+7h latest=@d+19h 
| fields citrtt citnet s 
| bin span=1h _time 
| stats count(eval(citrtt > 150)) as citrrt_count count(eval(citnet > 80)) as citnet_count by s _time
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-11-2022 12:42 AM

ther eis an issue with the field nbs_citrtt which is never calculated even if I change the threshold 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2022 12:46 AM

There was a typo in the solution (corrected in later solutions)

| stats count(eval(citrtt > 150)) as citrtt_count count(eval(citnet > 80)) as citnet_count by s _time
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-10-2022 11:13 PM

OK but I need to timechart the "s" events for citrtt and citnet after the stats command like in my example, so it's not enough

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 11:35 PM

This requirement is not enough to determine the solution - for example, do you want to count unique s where citrtt > 2 AND citnet > 2 or count unique s where citrtt > 2 OR citnet > 2?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-10-2022 11:48 PM

I want to count unique s where citrtt > 2 OR citnet > 2

but like I said I need to timechart the s events for the citrtt and citnet so I dont know how is it possible

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2022 12:15 AM

That is still not clear enough - do you want a single count per hour of unique s where either count is greater than 2 or do you want two counts per hour of unique s where the corresponding count is greater than 2?

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-11-2022 12:22 AM

two counts per hour of unique s where the corresponding count is greater than 2

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-11-2022 12:27 AM 
index=toto sourcetype="cit" type=* earliest=@d+7h latest=@d+19h 
| fields citrtt citnet s 
| bin span=1h _time 
| stats count(eval(citrtt > 150)) as citrrt_count count(eval(citnet > 80)) as citnet_count by s _time
| stats count(eval(citrtt_count > 2)) as citrtt_s_count count(eval(citnet_count > 2)) as citnet_s_count by _time
| where _time < now() 
| eval time = strftime(_time, "%H:%M") 
| stats sum(citrtt_s_count) as nbs_citrtt sum(citnet_s_count) as nbs_citnet by time 
| rename time as Heure
0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-11-2022 12:57 AM

now it works ;-), thanks

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-10-2022 10:42 PM

Please be more specific about what you are trying to do with the merged search as this will help determine the solution.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎03-10-2022 11:03 PM

I need to display the number of citrtt and the number of citnet for each bin span _time

time, citrtt, citnet

example : 7h,  25, 8

                     8h, 43, 7

etc....

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...