Re: how to run two functions in a single query.

geetanjali · ‎06-19-2011

Hello

I have 3 guest and each guest has 10 hosts in it. i want to display data in pie chart.

my query conditions are :

Want to display sum of latest value over hosts by guest. First i need to find out latest values of host and then sum up that values guest.

My current query is:-

index="test" sourcetype="power_usage" | eval guest=ltrim(source,"/opt/app/powersupply/") | eval guest=split(guest,"/") | eval guest=mvindex(guest,-3) | chart first(Power_consumption) as a over host by guest

This query is giving latest values of hosts by guest. Next i need to sum up latest values. What would be the approach to do this. i have tried with addtotal, but it's giving result for all hosts.
How could i update my query for this.

Please help, if anybody knows the solution.

Thanks in advance.

Geetanjali

woodcock · ‎06-04-2015

Switch from chart to stats like this:

index="test" sourcetype="power_usage" | eval guest=ltrim(source,"/opt/app/powersupply/") | eval guest=split(guest,"/") | eval guest=mvindex(guest,-3) | stats first(Power_consumption) AS a BY host, guest

Then you can do this:

index="test" sourcetype="power_usage" | eval guest=ltrim(source,"/opt/app/powersupply/") | eval guest=split(guest,"/") | eval guest=mvindex(guest,-3) | stats first(Power_consumption) AS a BY host, guest | stats sum(a) by host

Or perhaps this:

index="test" sourcetype="power_usage" | eval guest=ltrim(source,"/opt/app/powersupply/") | eval guest=split(guest,"/") | eval guest=mvindex(guest,-3) | stats first(Power_consumption) AS a BY host, guest | stats sum(a) by guest

woodcock · ‎07-14-2015

Did any of this work?

how to run two functions in a single query.

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor