Splunk Search

how to use UNION for 4 counter types

sunnyparmar
Communicator

Hi,

I have 4 counters with the following name for the performance monitor of the system-

1.) Avg. Disk sec/Read
2.) Avg. Disk sec/Write
3.) Disk Reads/sec
4.) Disk Writes/sec

I want to see all above counters in one query in either bars or graphs so for that I am making my query like given below but it is not working. Kindly suggest where I am doing wrong?

|set union [search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] [ search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host] [search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] [search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

Thanks
Ankit

Tags (2)
0 Karma
1 Solution

vinitatsky
Communicator

Can you try 'append' and check if it works.
|set union [search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] [ append search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host] [ append search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] [ append search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

View solution in original post

vinitatsky
Communicator

Can you try 'append' and check if it works.
|set union [search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] [ append search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host] [ append search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] [ append search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

vinitatsky
Communicator

Just append and not append

0 Karma

sunnyparmar
Communicator

Thanks for the reply..I have tried but it is giving below error ..

Error in 'append' command: The last argument must be a subsearch.

0 Karma

vinitatsky
Communicator

Can you try - remove 'union' and use 'append'.

0 Karma

sunnyparmar
Communicator

After removing of union is it the right format for the command given below?

[append search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] [ append search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host]
[append search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] [append search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

0 Karma

vinitatsky
Communicator

[search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] append [search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host]
append [search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] append [search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

0 Karma

sunnyparmar
Communicator

Thanks for replying but it is showing no result found 😞

0 Karma

sunnyparmar
Communicator

When I am running these counters in separate queries then it is showing result. Queries are -

1.) index=sc-perfmon (counter="Avg. Disk sec/Read" OR counter="Avg. Disk sec/Write" ) host=BWIN7136 | timechart avg(Value) by counter

2.) index=sc-perfmon (counter="Disk Reads/sec" OR counter="Disk Writes/sec" ) host=BWIN7136 | timechart avg(Value) by counter

0 Karma

vinitatsky
Communicator

Sorry. My mistake. Can you please try using appendcols, instead of append and I hope it works.

0 Karma

sunnyparmar
Communicator

still showing the same result (no result found)..

0 Karma

vinitatsky
Communicator

index=sc-perfmon counter="Avg. Disk sec/Read" OR counter="Avg. Disk sec/Write" OR counter="Disk Reads/sec" OR counter="Disk Writes/sec" | chart avg(Value) over _time by counter

0 Karma

sunnyparmar
Communicator

it works.. thanks a lot...

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...