Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join two searches and draw them on the same chart

baranova
New Member
‎06-02-2014 01:03 AM

Hello guys ,

I kinda need your help , i spend some time on this query and i don't really see how to do that ( tried join ad add column )

Here is an example of my table :

Sold on Bought on Car
aug14 oct12 Ferrari
july14 sept13 Lamborghini
sept13 aug13 Porsh
nov13 oct13 Mercedes

The thing i wanna do is to show for each month ( i know how to do that ) the number of cars bought AND sold . The car doesn't mar

So basically i have to count sold on and Car for each of the months , and the same thing for car and bought .

But how to join them ?? ...

Thanks a lot !

Tags (2)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-02-2014 02:10 AM

Hi baranova,

take this run everywhere example, this will take events from two sources and displays them according to first day and last day of the week they were seen and lists them by mySeries

index=_internal source=*metrics.log OR source=*splunkd.log ( series OR WatchedFile ) earliest=-7d@d 
| eval mySeries=coalesce(file,series) 
| stats first(date_wday) AS first_week last(date_wday) AS last_week count by mySeries

What happens here is that the first line filters the events from two sources for series OR WatchedFile, the eval is used to create a new field either using the file (from splunkd.log) or the series (from metrics.log), last the stats is used to count and display the result.

Adapted to your search and assuming you have fields ready for Sold on, Bought on and Car try something like this:

 your base search to get all needed events
| stats first(Bought_on) AS Bought last(Sold_on) AS Sold count by Car

hope I did get your question right and this helps to get you started ...

btw, try to avoid field names with spaces in it.

cheers, MuS

0 Karma
Reply

baranova
New Member
‎06-02-2014 02:43 AM

Hello and thanks a lot for your reply !

It's close with the thing i want , unfortunately I can't count by Car .

Basically here is the results i Need

august 13 sold 577 Bought 600
september 13 sold 400 bought 500

But again , thanks for the quick reply !

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...