Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

joinできなかった結果を含めて表示する方法はないでしょうか

kaoriaraki
Explorer
‎04-07-2014 06:47 PM

先週と今週の結果を比較するサーチを実行したいと考えています。
下記の例では曜日をキーにjoinして比較していますが、週の半ば(例えば水曜日)にサーチを実行すると水曜日までのグラフしか表示されません。
先週分は、日曜日から土曜日までの1週間分を表示し、今週分はサーチを実行した曜日までの結果を表示する方法がありましたらご教示ください。

index=_internal earliest=@w0 source=metric group=per_index_thruput series=_audit |timechart span=1d sum(ev) as 今週 values(date_wday) as wday |join wday [search index=_internal earliest=-1w@w0 latest=@w0 source=metric group=per_index_thruput series=_audit |timechart span=1d values(date_wday) as wday sum(ev) as 先週|fields - _time] |fields - wday

joinでは実現出来ない場合、他の方法をアドバイスいただけると助かります。

Reply
1 Solution
Solved! Jump to solution
Solution

kaoriaraki
Explorer
‎04-07-2014 10:03 PM

joinを使って比較する方法はわかりませんでしたが、appendcolsを使って曜日毎に比較することが出来ました。

index=_internal earliest=@w0 latest=@w0+7d source=metric group=per_index_thruput series=_audit |timechart span=1d sum(ev) as thisWeek values(date_wday) as wday |appendcols [search index=_internal earliest=-1w@w0 latest=@w0 source=metric group=per_index_thruput series=_audit |timechart span=1d values(date_wday) as wday sum(ev) as lastWeek |fields - _time] |chart list(_time) as _time list(thisWeek) as 今週 list(lastWeek) as 先週 by wday |sort _time|fields - wday

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kaoriaraki
Explorer
‎04-07-2014 10:03 PM

joinを使って比較する方法はわかりませんでしたが、appendcolsを使って曜日毎に比較することが出来ました。

index=_internal earliest=@w0 latest=@w0+7d source=metric group=per_index_thruput series=_audit |timechart span=1d sum(ev) as thisWeek values(date_wday) as wday |appendcols [search index=_internal earliest=-1w@w0 latest=@w0 source=metric group=per_index_thruput series=_audit |timechart span=1d values(date_wday) as wday sum(ev) as lastWeek |fields - _time] |chart list(_time) as _time list(thisWeek) as 今週 list(lastWeek) as 先週 by wday |sort _time|fields - wday

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...