Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- merging two search strings
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
merging two search strings
I have two search string:
index=os source=Perfmon:LocalMainMemory
| where like(counter,"% Committed Bytes In Use")
| stats avg(Value) as "avgMemPct", max(Value) as "peakMemPct" by host
index=os sourcetype=Perfmon:LocalProcessor
| where like(counter,"% Processor Time")
| stats avg(Value) as "avgCpuPct", max(Value) as "peakCpuPct" by host
How to merge these two with out using JOIN. We can use OR.
I have tried
index=os source=Perfmon:LocalMainMemory OR sourcetype=Perfmon:LocalProcessor
| where like(counter,"% Committed Bytes In Use")
| where like(counter,"% Processor Time")
| stats avg(Value) as "avgMemPct", max(Value) as "peakMemPct" avg(Value1) as "avgCpuPct", max(Value1) as "peakCpuPct" by host
But is it not giving any value. Looks like I cannot use Value1. Can anyone help me!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That will not work. The first 'where' will filter out all but events with 'committed bytes', and the second will filter out all events but those that have 'processor time'. which will be none.
Try doing something like this instead;
index=x sourcetype=y OR sourcetype=z counter="*Processor Time" OR counter = "*Committed bytes*" | stats avg(Value) max(Value) by counter, host
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then have a look at the chart command.
With 'chart blah blah over X by Y', you get the results on different axes.. axis? axises??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kristian.. I have tried with your suggestion but it is giving the data in the format I want it to be. I need the data should come one row per host.It is not providing that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have also tried:
index=os source=Perfmon:LocalMainMemory OR sourcetype=Perfmon:LocalProcessor
| where like(counter,"% Committed Bytes In Use")
| eval CommittedBytes=Value
| where like(counter,"% Processor Time")
| eval ProcessorTime=Value
| stats avg(CommittedBytes) as "avgMemPct", max(CommittedBytes) as "peakMemPct" avg(ProcessorTime) as "avgCpuPct", max(ProcessorTime) as "peakCpuPct" by host but not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you even try the suggestion? How do you 'read' the search? What does it do? OR?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So is there no way of merging these two strings with OR..rght??
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
