Splunk Search

combine searches in one timechart

bowa
Path Finder

I would like to combine the following two searches in one timechart:

host="appserv" OAuth participants POST | regex _raw="/organizations/[a-z0-9-]*/participants/?$" | timechart count

and

host="appserv" deadlock | timechart count

sounds pretty simple question but i cant find how to do it.

1 Solution

twinspop
Influencer

Many ways to skin this cat. appendcols came to mind first:

host="appserv" OAuth participants POST earliest=-1h@h latest=-0h@h | 
regex _raw="/organizations/[a-z0-9-]*/participants/?$" |
timechart count as OAuthCount |
appendcols [ search host="appserv" deadlock earliest=-1h@h latest=-0h@h | 
    timechart count as deadlockCount | fields deadlockCount ]

So you run the first search roughly as is. Add in a time qualifier for grins, and rename the count column to something unambiguous. Pipe the results of that into an appendcols that uses a subsearch reflecting the second search (same mods), and pipe that into fields to isolate just the count of deadlocks. Finally, close the subsearch.

I make no claim that this is the best way.

View solution in original post

twinspop
Influencer

Many ways to skin this cat. appendcols came to mind first:

host="appserv" OAuth participants POST earliest=-1h@h latest=-0h@h | 
regex _raw="/organizations/[a-z0-9-]*/participants/?$" |
timechart count as OAuthCount |
appendcols [ search host="appserv" deadlock earliest=-1h@h latest=-0h@h | 
    timechart count as deadlockCount | fields deadlockCount ]

So you run the first search roughly as is. Add in a time qualifier for grins, and rename the count column to something unambiguous. Pipe the results of that into an appendcols that uses a subsearch reflecting the second search (same mods), and pipe that into fields to isolate just the count of deadlocks. Finally, close the subsearch.

I make no claim that this is the best way.

jcai_splunk
Splunk Employee
Splunk Employee

Cool! exactly what I want!

0 Karma

bowa
Path Finder

thanks a lot 🙂 appendcols is my friend now!

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...