Splunk Search

How to write a search to combine the sum of three metric name into one count?

soulmaker
Explorer

Hello, 

I have three search query below that I want to combine the three metric name sum into one total count. Can someone able to assist how I can write my query?

First Query:
| mstats sum(vault.token.creation.nonprod) as count where index=vault_metrics span=1h
| timechart sum(count) as count span=1h
| fillnull value=0
| eventstats perc90(count) perc50(count)

Second Query:
| mstats sum(vault.token.creation.dev) as count where index=vault_metrics span=1h
| timechart sum(count) as count span=1h
| fillnull value=0
| eventstats perc90(count) perc50(count)

Third Query:
| mstats sum(vault.token.creation.nonprod_preprod) as count where index=vault_metrics span=1h
| timechart sum(count) as count span=1h
| fillnull value=0
| eventstats perc90(count) perc50(count)

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

You are collecting from the same index, so just put all 3 counts in the same mstats

| mstats sum(vault.token.creation.nonprod) as count_nonprod
         sum(vault.token.creation.dev) as count_dev
         sum(vault.token.creation.nonprod_preprod) as count_nonprod_preprod
  where index=vault_metrics span=1h
| addtotals
| timechart sum(Total) as Total span=1h
| fillnull value=0
| eventstats perc90(Total) as p90_Total perc50(Total) as p50_Total

The addtotals gives you a sume of all the count_* fields into a single new field Total, so then just use that new field total to calculate the percentiles

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

You are collecting from the same index, so just put all 3 counts in the same mstats

| mstats sum(vault.token.creation.nonprod) as count_nonprod
         sum(vault.token.creation.dev) as count_dev
         sum(vault.token.creation.nonprod_preprod) as count_nonprod_preprod
  where index=vault_metrics span=1h
| addtotals
| timechart sum(Total) as Total span=1h
| fillnull value=0
| eventstats perc90(Total) as p90_Total perc50(Total) as p50_Total

The addtotals gives you a sume of all the count_* fields into a single new field Total, so then just use that new field total to calculate the percentiles

soulmaker
Explorer

Thanks @bowesmana , you're a legend!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...