Solved: Re: Join / Append columns

shangshin · ‎03-21-2014

Hi,
I would like to join or append 2 dataseries and try the function append/ join. However, the result is not really what I want. Please advise the right query to achieve the goal below.

Thanks in advance!

source="cpu_load" host="myhost" | timechart span=30m avg(cpu) as cpu_average 
| append [search sourcetype="server_hits" host="myhost" | timechart bins=300 minspan=30m sum(requests) AS req]

Result

    _time                   cpu_average ser
1   3/21/14 10:00:00.000 AM 10.087604   
2   3/21/14 10:30:00.000 AM 10.734093   
3   3/21/14 11:00:00.000 AM 10.539557
4   3/21/14 10:00:00.000 AM             1244
5   3/21/14 10:30:00.000 AM             1501
6   3/21/14 11:00:00.000 AM             1931

Ideal Goal

    _time                   cpu_average ser
1   3/21/14 10:00:00.000 AM 10.087604   1244
2   3/21/14 10:30:00.000 AM 10.734093   1501
3   3/21/14 11:00:00.000 AM 10.539557   1931

wpreston · ‎03-21-2014

I don't think you'll need to use append, stats should do the trick. Try something like this:

source="cpu_load" OR source="server_hits" host="myhost" | bin _time span=30m | stats  avg(cpu) as cpu_average sum (requests) AS req by _time

View solution in original post

wpreston · ‎03-21-2014

I don't think you'll need to use append, stats should do the trick. Try something like this:

source="cpu_load" OR source="server_hits" host="myhost" | bin _time span=30m | stats  avg(cpu) as cpu_average sum (requests) AS req by _time

Join / Append columns

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Join / Append columns

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability