Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use multiple search results in another search to get my expected output?

guruwells
Explorer
‎05-17-2016 04:56 AM

Hi All,

I have 2 search statements which are giving 2 different search results with same index and sourcetype. I want to use these results in another search statement and need to get the result.

1st search:

index=main sourcetype=iis| where time_taken > 4000 |stats count(s_computername) as "# of Hits > 4 seconds"|

2nd search:

index=main sourcetype=iis| eval u_name =replace(cs_username, "0#","")| eval u_name1= replace(u_name, ".w|","")|eval u_name2=replace(u_name1,"\|","")|stats dc(u_name2) AS "Unique Users", count(s_computername) as "Elements/Hits"

And looking for:

index= main sourcetype=iis| eval result= "# of Hits > 4 seconds" / Elements/Hits| eval resultvalue= result * 100

I am using appendcols to get the results from various search statements.

Your help is appreciated.

Thanks,
Guru

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-17-2016 06:27 AM

You could try without the subsearch like this.

index=main sourcetype=iis | eval u_name =replace(cs_username, "0#","") | eval u_name1= replace(u_name, ".w|","") | eval u_name2=replace(u_name1,"\|","") | stats count(eval(time_taken>4000)) AS hits dc(u_name2) as users count(s_computername) AS elements  | eval resultsvalue = (hits/elements)*100 | rename hits AS "# of Hits > 4 seconds" elements AS  "Elements/Hits"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-17-2016 06:27 AM

You could try without the subsearch like this.

index=main sourcetype=iis | eval u_name =replace(cs_username, "0#","") | eval u_name1= replace(u_name, ".w|","") | eval u_name2=replace(u_name1,"\|","") | stats count(eval(time_taken>4000)) AS hits dc(u_name2) as users count(s_computername) AS elements  | eval resultsvalue = (hits/elements)*100 | rename hits AS "# of Hits > 4 seconds" elements AS  "Elements/Hits"
0 Karma
Reply
Solved! Jump to solution

guruwells
Explorer
‎05-17-2016 06:51 AM

Excellent. it's worked for me. Thanks for the help. It's saved lot of time.

0 Karma
Reply
Solved! Jump to solution

guruwells
Explorer
‎05-18-2016 03:02 AM

Hi Sundaresh,
I have one more question if you are ok with that.
Requirement is:
statement1: index=main sourcetype=iis earliest=-1d@d|eval csuri=lower(cs_uri_stem)| where csuri="/pages/default.aspx" AND sc_status!="401"|stats count(eval(time_taken>4000)) as "Page Views > 4 seconds" count(eval(time_taken>2500)) as "Page Views > 2.5 seconds" | appendcols[search index=main sourcetype=iis earliest=-1d@d|eval csuri=lower(cs_uri_stem)| Where csuri="/view/pages/default.aspx" AND sc_status!="401"|stats avg(time_taken) as "Page response time", count as "Page views"]

statement2: index=main sourcetype=iis|eval resultvalue= (Page Views > 4 seconds/Page Views) *100.

I am looking all 2 statements into single statement to get the result. In above answer we have looked one condition across statement. But here we can find various conditions across all 2 statements.

Please help me on this if you have any idea?

Thanks.
Guru Prasad K

0 Karma
Reply
Solved! Jump to solution

guruwells
Explorer
‎05-18-2016 02:38 AM

How to fulfill below requirement in single satement.
satement1:
index=main sourcetype=iis earliest=-1d@d|eval csuri=lower(cs_uri_stem)| where csuri="/pages/default.aspx" AND sc_status!="401"|stats count(eval(time_taken>4000)) as "Page Views > 4 seconds" count(eval(time_taken>2500)) as "Page Views > 2.5 seconds"
statement2:
appendcols[search index=main sourcetype=iis earliest=-1d@d|eval csuri=lower(cs_uri_stem)| Where csuri="/view/pages/default.aspx" AND sc_status!="401"|stats avg(time_taken) as "Page response time" |stats count as "Page views"]

statement3: index= main sourcetype=iis |eval resultset= (Page Views> 4 seconds"/"Page Views") *100.

In above answer it's really helped I got the output accordingly. But here couples of conditions are exist. How to make these 3 statements into single search statement.

Your help is appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...