Solved: Join / Append columns

shangshin · ‎03-21-2014

Hi,
I would like to join or append 2 dataseries and try the function append/ join. However, the result is not really what I want. Please advise the right query to achieve the goal below.

Thanks in advance!

source="cpu_load" host="myhost" | timechart span=30m avg(cpu) as cpu_average 
| append [search sourcetype="server_hits" host="myhost" | timechart bins=300 minspan=30m sum(requests) AS req]

Result

    _time                   cpu_average ser
1   3/21/14 10:00:00.000 AM 10.087604   
2   3/21/14 10:30:00.000 AM 10.734093   
3   3/21/14 11:00:00.000 AM 10.539557
4   3/21/14 10:00:00.000 AM             1244
5   3/21/14 10:30:00.000 AM             1501
6   3/21/14 11:00:00.000 AM             1931

Ideal Goal

    _time                   cpu_average ser
1   3/21/14 10:00:00.000 AM 10.087604   1244
2   3/21/14 10:30:00.000 AM 10.734093   1501
3   3/21/14 11:00:00.000 AM 10.539557   1931

wpreston · ‎03-21-2014

I don't think you'll need to use append, stats should do the trick. Try something like this:

source="cpu_load" OR source="server_hits" host="myhost" | bin _time span=30m | stats  avg(cpu) as cpu_average sum (requests) AS req by _time

View solution in original post

wpreston · ‎03-21-2014

I don't think you'll need to use append, stats should do the trick. Try something like this:

source="cpu_load" OR source="server_hits" host="myhost" | bin _time span=30m | stats  avg(cpu) as cpu_average sum (requests) AS req by _time

Join / Append columns

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation