Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Joining two queries with same field name , but different values

bsaujla131984
Path Finder
‎04-17-2020 04:47 PM

I am trying to create an alert which will check how many messages are stuck in the queue and whats the age of messages.

Problem is , field for checking the number of messages and age of messages is same i.e. metric_dimensions.

Can someone guide how can we join these two fields with same name , but different values?

0 Karma
Reply

to4kawa
Ultra Champion
‎04-17-2020 07:40 PM 
index="sqs" sourcetype="aws:cloudwatch" source="AWSSQS" account_id="#####"  
AND (metric_name="ApproximateNumberOfMessagesVisible" OR metric_name="ApproximateAgeOfOldestMessage" )
| stats count(eval(metric_name="ApproximateNumberOfMessagesVisible")) as Sum_first count(eval(metric_name="ApproximateAgeOfOldestMessage")) as Sum_second by queuename
| where Sum_A>0 AND Sum_B > 900

see https://conf.splunk.com/files/2016/slides/power-of-spl.pdf
Searching at same time, this is Splunk way.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-18-2020 10:35 PM 
index="sqs" sourcetype="aws:cloudwatch" source="AWSSQS" account_id="#####"  
 AND (metric_name="ApproximateNumberOfMessagesVisible" OR metric_name="ApproximateAgeOfOldestMessage" )`

is search two metric_name.

 | stats count(eval(metric_name="ApproximateNumberOfMessagesVisible")) as Sum_first count(eval(metric_name="ApproximateAgeOfOldestMessage")) as Sum_second by queuename

By each queuename and metric_name, aggregate .

No, still not working..
what's is this?
no results? count is wrong? what's the result?

I see you like join . ok, as you like. I'm sorry waste your time.

0 Karma
Reply

bsaujla131984
Path Finder
‎04-18-2020 10:55 PM

I will test again...will provide you detailed report.

Thanks for your help ...

0 Karma
Reply

bsaujla131984
Path Finder
‎04-17-2020 08:43 PM

Thanks to4kawa for your query . It seems to be useful.

However Stats need to be based on the Sum field instead of metric_dimensions.... how can we include Sum for both metric_dimensions?

0 Karma
Reply

bsaujla131984
Path Finder
‎04-18-2020 08:08 PM

No, still not working..

I think join can do by passing the result to main query...

0 Karma
Reply

to4kawa
Ultra Champion
‎04-17-2020 08:46 PM

| stats count as Sum count(eval(metric_name="ApproximateNumberOfMessagesVisible")) as Sum_first count(eval(metric_name="ApproximateAgeOfOldestMessage")) as Sum_second by queuename

0 Karma
Reply

to4kawa
Ultra Champion
‎04-17-2020 05:27 PM

join
How do you want to display results?

0 Karma
Reply

bsaujla131984
Path Finder
‎04-17-2020 07:22 PM

I want to combine following two queries:-

index="sqs" sourcetype="aws:cloudwatch" source="AWSSQS" account_id="#####" metric_name="ApproximateNumberOfMessagesVisible" | table queuename | where Sum>0

index="sqs" sourcetype="aws:cloudwatch" source="AWSSQS" account_id="#####" metric_name="ApproximateAgeOfOldestMessage" | table queuename | where Sum>900

First query should run if second query satisfies the where condition...

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...