Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to merge search results into a meaningful data?

2chs
Explorer
‎10-16-2020 04:05 AM

Hi There,

Need to combine these two searches meaningfully, can someone help please.

 

1st Query:

index=xyz ....

| chart count(serviceName) as total count(eval(isPolicySuccessful="true")) as successTotal by serviceName

 

which gives something like below;

serviceName      total     successTotal
srvc1                   26429       26344
srvc2                       80               80
srvc3                        12              12

 

2nd Query:

index=xyz ....

| bin _time span=1s
| stats count AS TPS by _time serviceName | eventstats max(TPS) as peakTPS by _time serviceName | eval peakTime=if(peakTPS==TPS,_time,null())
| chart max(TPS) AS "PeakTPS" eval(round(avg(TPS),2)) AS "AVG TPS" min(TPS) AS "MinTPS" first(peakTime) as peakTime by serviceName | fieldformat peakTime=strftime(peakTime,"%x %X")

which gives something like below:

serviceName     PeakTPS       AVG TPS      MinTPS        peakTime
srvc33                11                         1.64                 1             10/15/20 16:34:40
srvc1                     1                          1.00                 1             10/15/20 16:44:42
srvc5                    2                           1.63                 1             10/15/20 20:35:22

 

Now the problem is how to merge these two results into a meaningful one?

something like below:

serviceName      total     successTotal   PeakTPS       AVG TPS      MinTPS        peakTime
srvc1                   26429       26344                  1                          1.00                 1             10/15/20 16:44:42

 

Please help!

0 Karma
Reply

gcusello
Esteemed Legend
‎10-16-2020 05:01 AM

Hi @2chs,

I cannot test the search but see the approach, something like this:

index=xyz ....
| eventstats count(serviceName) as total by serviceName
| eventstats count(eval(isPolicySuccessful="true")) as successTotal by serviceName
| eventstats max(TPS) as peakTPS by _time serviceName 
| eval peakTime=if(peakTPS==TPS,_time,null())
| chart values(total) AS total values(successTotal) AS successTotal max(TPS) AS "PeakTPS" eval(round(avg(TPS),2)) AS "AVG TPS" min(TPS) AS "MinTPS" first(peakTime) as peakTime by serviceName 
| fieldformat peakTime=strftime(peakTime,"%x %X")

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...