Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

join question

mark_chuman
Path Finder
‎03-01-2016 09:34 AM

here is my search - | dbquery "TQOMA" "SELECT "System", "%busy" FROM TQSTDBO.CPUVMSUM where "System" LIKE '%ntx%'"

basically, this returns a result for each system every sampling period. So, what I have is one line that represents all the samplings. I'd like to have a line for each system, but can't figure out how to do this. I was thinking something like this, but doesn't seem to work.

join System [| dbquery "TQOMA" "SELECT "System", "%busy" FROM TQSTDBO.CPUVMSUM where "System" LIKE '%ntx%'"]

Thanks for any feedback!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mark_chuman
Path Finder
‎03-01-2016 10:19 AM

I got it.

| dbquery "TQOMA" "SELECT "Time", "System", "%busy" FROM TQSTDBO.CPUVMSUM where "System" LIKE '%ntx%'" | eval _time=Time | timechart avg(%busy) by System

View solution in original post

0 Karma
Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎03-01-2016 10:25 AM

Hi Mark, I believe you will want to use the dbquery command to get your initial events, and then pipe it to stats values to get the set of %busy by system. Like so:

| dbquery "TQOMA" "SELECT "System", "%busy" FROM TQSTDBO.CPUVMSUM where "System" LIKE '%ntx%'" | stats values(%busy) by System

Or at least, something along those lines. Join is used to make a table with two data sets, joining on a particular common field, which I don't think is exactly what you are after in this case.

Please let me know if this helps!

0 Karma
Reply
Solved! Jump to solution
Solution

mark_chuman
Path Finder
‎03-01-2016 10:19 AM

I got it.

| dbquery "TQOMA" "SELECT "Time", "System", "%busy" FROM TQSTDBO.CPUVMSUM where "System" LIKE '%ntx%'" | eval _time=Time | timechart avg(%busy) by System

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-01-2016 09:59 AM

By "what I have is one line that represents all the samplings. I'd like to have a line for each system", do you mean in chart you're getting one line for overall %busy and you want to have a separate line for each System?

Can you provide some sample data as well? I don't think you need join here (join anyways is used to join two result sets, all I see it one single result set).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...