Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write search for timechart with multiple joins?

Karthikeyan
Engager
‎08-03-2022 09:15 AM

Hello,

I am trying to write a search query to fetch data from different sourcetype and the common factor in all sorucetype is _time.

I'm facing two issues.

1. With below search criteria, the value of field CPU is constant all the time, but the actual value is different.

index=indexname host=hostname sourcetype=meminfo earliest=-1d@d latest=@d
| table memUsedPct
| join type=inner _time [search index=indexname host=hostname sourcetype=cpuinfo | multikv | search CPU=all | eval CPU=100-pctIdle | table CPU]

 

2. How to show the memUsedPct and CPU in a timechart ?

Regards, Karthikeyan

Labels (4)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎08-03-2022 06:04 PM

There is no need for join. Try like this

index=indexname host=hostname (sourcetype=meminfo OR sourcetype=cpuinfo) earliest=-1d@d latest=@d
| multikv | search CPU=all OR memUsedPct=* | eval CPU=100-pctIdle
| fields _time memUsedPct CPU
| timechart avg(*) as *
0 Karma
Reply
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...