Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

union results in a table

avishayh
Explorer
‎08-15-2013 12:06 AM

I am trying to display in one table a difference from a performance log to a specific service from 2 diffrent times (for example : how much time a service (avg and count) took today vs yesterday)

I tried using : stats/fields/table but each time my final result is a table where the 1st avg and the 2nd avg are not in the same row

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-2d@d | chart avg(lastLap) as avg_time  count  by vo | eval key="1st" | fields vo avg_time count key | append [ search index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-2d@d latest=-1d@d | chart avg(lastLap) as avg_time2  count as count2  by vo | eval key="2nd" | fields vo avg_time2 count2 ]

vo - is the field who display the service name.

how can i union the avg_time2 and avg_time1 to be in the same row for a certain "vo"

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-15-2013 04:18 AM

I think you are making this far more complicated than you need to. If I understand you correctly, a simple stats (or chart or timechart) might do the trick. And avoid join - really.

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-1d@d | timechart span=1d count avg(lastLap) by vo

another option might be to use chart instead of timechart;

... | chart count avg(lastLap) over vo by date_mday

Hope this helps,

K

0 Karma
Reply

linu1988
Champion
‎08-15-2013 01:02 AM

You could use join rather than append.

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-2d@d | chart avg(lastLap) as avg_time count by vo | eval key="1st" | fields vo avg_time count key | join host [ search index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-2d@d latest=-1d@d | chart avg(lastLap) as avg_time2 count as count2 by vo | eval key="2nd" | fields vo avg_time2 count2 ]

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...