Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

mstats with host subquery

matthewwhittle
Explorer
‎11-02-2020 05:47 PM

Hi all!

I have this query which gets me the list of hosts

stuff stuff stuff | rename host as host_changed | dedup host_changed | table host_changed

it works beautifully.  

Now I have this other query

| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND host=lalalala by host span=1m | timechart span=1m avg(load.longterm) AS Longterm by host

which also works perfectly

Now, what I want to do, it effectively combine the two, but I cannot seem to get the syntax right

| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND host in [search stuff stuff stuff | rename host as host_changed | dedup host_changed | table host_changed] by host span=1m | timechart span=1m avg(load.longterm) AS Longterm by host

Thoughts?  Thanks!

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2020 06:45 AM

Run the subsearch by itself with "| format" appended to it.  You should get something that looks like

 

(host="foo" OR host="bar" OR host="baz")

 

Add that to the main search to get

 

| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND host in (host="foo" OR host="bar" OR host="baz")

 

and you should see the problem.  The string returned by the subsearch makes no sense in the context of the main search.  The solution is to modify one or both searches so the result is good SPL.

 

| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND 
  [search stuff stuff stuff 
  | rename host as host_changed 
  | return host_changed] by host span=1m 
| timechart span=1m avg(load.longterm) AS Longterm by host

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-03-2020 06:45 AM

Run the subsearch by itself with "| format" appended to it.  You should get something that looks like

 

(host="foo" OR host="bar" OR host="baz")

 

Add that to the main search to get

 

| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND host in (host="foo" OR host="bar" OR host="baz")

 

and you should see the problem.  The string returned by the subsearch makes no sense in the context of the main search.  The solution is to modify one or both searches so the result is good SPL.

 

| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND 
  [search stuff stuff stuff 
  | rename host as host_changed 
  | return host_changed] by host span=1m 
| timechart span=1m avg(load.longterm) AS Longterm by host

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

matthewwhittle
Explorer
‎11-04-2020 09:48 AM

Ah, but a theme off that variation works, taking the approach of modifying the mstats query

| mstats prestats=true avg(load.*) WHERE (`sai_metrics_indexes`) AND

  [search stuff stuff stuff

  | format] by host span=1m

| timechart span=1m avg(load.longterm) AS Longterm by host

0 Karma
Reply
Solved! Jump to solution

matthewwhittle
Explorer
‎11-04-2020 09:42 AM

Hi richgalloway,

Your response is very appreciated.  When I tried your suggestion below, I got the error

"Term based search is not supported"

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top