Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join two searches and draw them on the same chart

baranova
New Member
‎06-02-2014 01:03 AM

Hello guys ,

I kinda need your help , i spend some time on this query and i don't really see how to do that ( tried join ad add column )

Here is an example of my table :

Sold on Bought on Car
aug14 oct12 Ferrari
july14 sept13 Lamborghini
sept13 aug13 Porsh
nov13 oct13 Mercedes

The thing i wanna do is to show for each month ( i know how to do that ) the number of cars bought AND sold . The car doesn't mar

So basically i have to count sold on and Car for each of the months , and the same thing for car and bought .

But how to join them ?? ...

Thanks a lot !

Tags (2)
0 Karma
Reply

MuS
Legend
‎06-02-2014 02:10 AM

Hi baranova,

take this run everywhere example, this will take events from two sources and displays them according to first day and last day of the week they were seen and lists them by mySeries

index=_internal source=*metrics.log OR source=*splunkd.log ( series OR WatchedFile ) earliest=-7d@d 
| eval mySeries=coalesce(file,series) 
| stats first(date_wday) AS first_week last(date_wday) AS last_week count by mySeries

What happens here is that the first line filters the events from two sources for series OR WatchedFile, the eval is used to create a new field either using the file (from splunkd.log) or the series (from metrics.log), last the stats is used to count and display the result.

Adapted to your search and assuming you have fields ready for Sold on, Bought on and Car try something like this:

 your base search to get all needed events
| stats first(Bought_on) AS Bought last(Sold_on) AS Sold count by Car

hope I did get your question right and this helps to get you started ...

btw, try to avoid field names with spaces in it.

cheers, MuS

0 Karma
Reply

baranova
New Member
‎06-02-2014 02:43 AM

Hello and thanks a lot for your reply !

It's close with the thing i want , unfortunately I can't count by Car .

Basically here is the results i Need

august 13 sold 577 Bought 600
september 13 sold 400 bought 500

But again , thanks for the quick reply !

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...