Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

union results in a table

avishayh
Explorer
‎08-15-2013 12:06 AM

I am trying to display in one table a difference from a performance log to a specific service from 2 diffrent times (for example : how much time a service (avg and count) took today vs yesterday)

I tried using : stats/fields/table but each time my final result is a table where the 1st avg and the 2nd avg are not in the same row

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-2d@d | chart avg(lastLap) as avg_time  count  by vo | eval key="1st" | fields vo avg_time count key | append [ search index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-2d@d latest=-1d@d | chart avg(lastLap) as avg_time2  count as count2  by vo | eval key="2nd" | fields vo avg_time2 count2 ]

vo - is the field who display the service name.

how can i union the avg_time2 and avg_time1 to be in the same row for a certain "vo"

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-15-2013 04:18 AM

I think you are making this far more complicated than you need to. If I understand you correctly, a simple stats (or chart or timechart) might do the trick. And avoid join - really.

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-1d@d | timechart span=1d count avg(lastLap) by vo

another option might be to use chart instead of timechart;

... | chart count avg(lastLap) over vo by date_mday

Hope this helps,

K

0 Karma
Reply

linu1988
Champion
‎08-15-2013 01:02 AM

You could use join rather than append.

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-2d@d | chart avg(lastLap) as avg_time count by vo | eval key="1st" | fields vo avg_time count key | join host [ search index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-2d@d latest=-1d@d | chart avg(lastLap) as avg_time2 count as count2 by vo | eval key="2nd" | fields vo avg_time2 count2 ]

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...