Splunk Search

Show a chart based on host found in another search

chadman
Path Finder

Ok, So I have two searches that work great. One will find computers with slow ping times. The other will create a chart of the ping times based on one host name. I would like somehow combine these two search's, but not sure how to do it. I would like my end result to be a chart that shows all the computers with slow ping times on one chart that plots there ping times.

Here is a search I use to grab the computers I would like to chart.

sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host,Count

And here is the chart I use to for one computer.

sourcetype="search1" host=$desktop$ | timechart avg(internal_time) as "Ping Time"
Tags (2)
0 Karma
1 Solution

sundareshr
Legend

How about this?

sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

index=blah sourcetype="search1" [index=blah sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) AS "Ping Time" BY host
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Suggestion - it's always better to specify the index name. You can see the difference just by adding the index name to your searches.

Try this

index=yourindex sourcetype="search1" [search index=yourindex sourcetype="search1" earliest=-15m internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) as "Ping Time" by host
0 Karma

chadman
Path Finder

Thanks for the tip! You solution also did what I was looking for. I was trying you approach at first, but could not get the syntax correct.

0 Karma

sundareshr
Legend

How about this?

sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3
0 Karma

chadman
Path Finder

Thanks worked great!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...