Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

joinできなかった結果を含めて表示する方法はないでしょうか

kaoriaraki
Explorer
‎04-07-2014 06:47 PM

先週と今週の結果を比較するサーチを実行したいと考えています。
下記の例では曜日をキーにjoinして比較していますが、週の半ば(例えば水曜日)にサーチを実行すると水曜日までのグラフしか表示されません。
先週分は、日曜日から土曜日までの1週間分を表示し、今週分はサーチを実行した曜日までの結果を表示する方法がありましたらご教示ください。

index=_internal earliest=@w0 source=metric group=per_index_thruput series=_audit |timechart span=1d sum(ev) as 今週 values(date_wday) as wday |join wday [search index=_internal earliest=-1w@w0 latest=@w0 source=metric group=per_index_thruput series=_audit |timechart span=1d values(date_wday) as wday sum(ev) as 先週|fields - _time] |fields - wday

joinでは実現出来ない場合、他の方法をアドバイスいただけると助かります。

Reply
1 Solution
Solved! Jump to solution
Solution

kaoriaraki
Explorer
‎04-07-2014 10:03 PM

joinを使って比較する方法はわかりませんでしたが、appendcolsを使って曜日毎に比較することが出来ました。

index=_internal earliest=@w0 latest=@w0+7d source=metric group=per_index_thruput series=_audit |timechart span=1d sum(ev) as thisWeek values(date_wday) as wday |appendcols [search index=_internal earliest=-1w@w0 latest=@w0 source=metric group=per_index_thruput series=_audit |timechart span=1d values(date_wday) as wday sum(ev) as lastWeek |fields - _time] |chart list(_time) as _time list(thisWeek) as 今週 list(lastWeek) as 先週 by wday |sort _time|fields - wday

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kaoriaraki
Explorer
‎04-07-2014 10:03 PM

joinを使って比較する方法はわかりませんでしたが、appendcolsを使って曜日毎に比較することが出来ました。

index=_internal earliest=@w0 latest=@w0+7d source=metric group=per_index_thruput series=_audit |timechart span=1d sum(ev) as thisWeek values(date_wday) as wday |appendcols [search index=_internal earliest=-1w@w0 latest=@w0 source=metric group=per_index_thruput series=_audit |timechart span=1d values(date_wday) as wday sum(ev) as lastWeek |fields - _time] |chart list(_time) as _time list(thisWeek) as 今週 list(lastWeek) as 先週 by wday |sort _time|fields - wday

0 Karma
Reply
Get Updates on the Splunk Community!

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Community Feedback

We Want to Hear from You! Share Your Feedback on the Splunk Community   The Splunk Community is built for you ...

Manual Instrumentation with Splunk Observability Cloud: Implementing the ...

In our observability journey so far, we've built comprehensive instrumentation for our Worms in Space ...