Solved: how to use UNION for 4 counter types

sunnyparmar · ‎06-23-2015

Hi,

I have 4 counters with the following name for the performance monitor of the system-

1.) Avg. Disk sec/Read
2.) Avg. Disk sec/Write
3.) Disk Reads/sec
4.) Disk Writes/sec

I want to see all above counters in one query in either bars or graphs so for that I am making my query like given below but it is not working. Kindly suggest where I am doing wrong?

|set union [search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] [ search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host] [search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] [search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

Thanks
Ankit

vinitatsky · ‎06-23-2015

Can you try 'append' and check if it works.
|set union [search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] [ append search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host] [ append search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] [ append search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

View solution in original post

vinitatsky · ‎06-23-2015

Can you try 'append' and check if it works.
|set union [search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] [ append search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host] [ append search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] [ append search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

vinitatsky · ‎06-23-2015

Just append and not append

sunnyparmar · ‎06-23-2015

Thanks for the reply..I have tried but it is giving below error ..

Error in 'append' command: The last argument must be a subsearch.

vinitatsky · ‎06-23-2015

Can you try - remove 'union' and use 'append'.

sunnyparmar · ‎06-23-2015

After removing of union is it the right format for the command given below?

[append search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] [ append search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host]
[append search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] [append search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

vinitatsky · ‎06-23-2015

[search index=sc-perfmon counter="Avg. Disk sec/Read"| timechart avg(Value) by host] append [search index=sc-perfmon counter="Avg. Disk sec/Write" | timechart avg(Value) by host]
append [search index=sc-perfmon counter="Disk Reads/sec" | timechart avg(Value) by host] append [search index=sc-perfmon counter="Disk Writes/sec" | timechart avg(Value) by host]

sunnyparmar · ‎06-23-2015

Thanks for replying but it is showing no result found 😞

sunnyparmar · ‎06-23-2015

When I am running these counters in separate queries then it is showing result. Queries are -

1.) index=sc-perfmon (counter="Avg. Disk sec/Read" OR counter="Avg. Disk sec/Write" ) host=BWIN7136 | timechart avg(Value) by counter

2.) index=sc-perfmon (counter="Disk Reads/sec" OR counter="Disk Writes/sec" ) host=BWIN7136 | timechart avg(Value) by counter

vinitatsky · ‎06-23-2015

Sorry. My mistake. Can you please try using appendcols, instead of append and I hope it works.

sunnyparmar · ‎06-23-2015

still showing the same result (no result found)..

vinitatsky · ‎06-23-2015

index=sc-perfmon counter="Avg. Disk sec/Read" OR counter="Avg. Disk sec/Write" OR counter="Disk Reads/sec" OR counter="Disk Writes/sec" | chart avg(Value) over _time by counter

sunnyparmar · ‎06-23-2015

it works.. thanks a lot...

how to use UNION for 4 counter types

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life