Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Joining two queries with same field name , but different values

bsaujla131984
Path Finder
‎04-17-2020 04:47 PM

I am trying to create an alert which will check how many messages are stuck in the queue and whats the age of messages.

Problem is , field for checking the number of messages and age of messages is same i.e. metric_dimensions.

Can someone guide how can we join these two fields with same name , but different values?

0 Karma
Reply

to4kawa
Ultra Champion
‎04-17-2020 07:40 PM 
index="sqs" sourcetype="aws:cloudwatch" source="AWSSQS" account_id="#####"  
AND (metric_name="ApproximateNumberOfMessagesVisible" OR metric_name="ApproximateAgeOfOldestMessage" )
| stats count(eval(metric_name="ApproximateNumberOfMessagesVisible")) as Sum_first count(eval(metric_name="ApproximateAgeOfOldestMessage")) as Sum_second by queuename
| where Sum_A>0 AND Sum_B > 900

see https://conf.splunk.com/files/2016/slides/power-of-spl.pdf
Searching at same time, this is Splunk way.

0 Karma
Reply

to4kawa
Ultra Champion
‎04-18-2020 10:35 PM 
index="sqs" sourcetype="aws:cloudwatch" source="AWSSQS" account_id="#####"  
 AND (metric_name="ApproximateNumberOfMessagesVisible" OR metric_name="ApproximateAgeOfOldestMessage" )`

is search two metric_name.

 | stats count(eval(metric_name="ApproximateNumberOfMessagesVisible")) as Sum_first count(eval(metric_name="ApproximateAgeOfOldestMessage")) as Sum_second by queuename

By each queuename and metric_name, aggregate .

No, still not working..
what's is this?
no results? count is wrong? what's the result?

I see you like join . ok, as you like. I'm sorry waste your time.

0 Karma
Reply

bsaujla131984
Path Finder
‎04-18-2020 10:55 PM

I will test again...will provide you detailed report.

Thanks for your help ...

0 Karma
Reply

bsaujla131984
Path Finder
‎04-17-2020 08:43 PM

Thanks to4kawa for your query . It seems to be useful.

However Stats need to be based on the Sum field instead of metric_dimensions.... how can we include Sum for both metric_dimensions?

0 Karma
Reply

bsaujla131984
Path Finder
‎04-18-2020 08:08 PM

No, still not working..

I think join can do by passing the result to main query...

0 Karma
Reply

to4kawa
Ultra Champion
‎04-17-2020 08:46 PM

| stats count as Sum count(eval(metric_name="ApproximateNumberOfMessagesVisible")) as Sum_first count(eval(metric_name="ApproximateAgeOfOldestMessage")) as Sum_second by queuename

0 Karma
Reply

to4kawa
Ultra Champion
‎04-17-2020 05:27 PM

join
How do you want to display results?

0 Karma
Reply

bsaujla131984
Path Finder
‎04-17-2020 07:22 PM

I want to combine following two queries:-

index="sqs" sourcetype="aws:cloudwatch" source="AWSSQS" account_id="#####" metric_name="ApproximateNumberOfMessagesVisible" | table queuename | where Sum>0

index="sqs" sourcetype="aws:cloudwatch" source="AWSSQS" account_id="#####" metric_name="ApproximateAgeOfOldestMessage" | table queuename | where Sum>900

First query should run if second query satisfies the where condition...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
Top