Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Subsearch and real-time: How to write a search to get all-time values and display them with real-time values?

canuzun
Explorer
‎06-20-2016 06:32 AM

Below is my simple search. 

index="ix-lp-tps"
| stats count as CurrentCount
| appendcols [search earliest=-100y index="ix-lp-tps" | stats count as AllTimeCount]
| table CurrentCount, AllTimeCount

If I choose last 15 mins from date picker, this search works fine. I can see count of events in the last 15 mins vs count of events from all time.

My problem occurs when I try to switch from last 15 mins to 5 min window. Historic to real-time. Why do I need to do this? There is a dashboard I need to develop and I need to use a real-time gauge, min & max of gauge is required to be dynamic. So I figured I could calculate min and max of count (for all time) and display the current count.

I understand that subsearches finish first and and main search finishes later. It is also said that real-time searches never finish, so subsearches can't be real-time which will cause the main search to never finish. It makes sense, but here I am trying to get all time values and display them with real-time values, so I don't understand what I am doing wrong.

I am also open to any other suggestions.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-20-2016 07:39 AM

You could try this approach. Avoids the use of subsearch. This will compare alltime vs 5min window. 

index="ix-lp-tps" earliest=0
| eval Current=if(_time>relative_time(now(), "-5m@m"), "Yes", "No")
| eval x=" " 
| chart count as AllTimeCount count(eval(Current="Yes") as CurrentCount
| table CurrentCount, AllTimeCount

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-20-2016 07:39 AM

You could try this approach. Avoids the use of subsearch. This will compare alltime vs 5min window. 

index="ix-lp-tps" earliest=0
| eval Current=if(_time>relative_time(now(), "-5m@m"), "Yes", "No")
| eval x=" " 
| chart count as AllTimeCount count(eval(Current="Yes") as CurrentCount
| table CurrentCount, AllTimeCount
Reply
Solved! Jump to solution

canuzun
Explorer
‎06-21-2016 12:38 AM

I think this is like using CASE keyword and get the SUM in the end with SQL.
I see your point here. I will try this approach.

In case anyone wants to use your sample; There was a ) missing and I have removed eval x=" " line.

index="ix-lp-tps" earliest=0
| eval Current=if(_time>relative_time(now(), "-5m@m"), "Yes", "No")
| chart count as AllTimeCount count(eval(Current="Yes")) as CurrentCount
| table CurrentCount, AllTimeCount

Thanks

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...