Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

union results in a table

avishayh
Explorer
‎08-15-2013 12:06 AM

I am trying to display in one table a difference from a performance log to a specific service from 2 diffrent times (for example : how much time a service (avg and count) took today vs yesterday)

I tried using : stats/fields/table but each time my final result is a table where the 1st avg and the 2nd avg are not in the same row

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-2d@d | chart avg(lastLap) as avg_time  count  by vo | eval key="1st" | fields vo avg_time count key | append [ search index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-2d@d latest=-1d@d | chart avg(lastLap) as avg_time2  count as count2  by vo | eval key="2nd" | fields vo avg_time2 count2 ]

vo - is the field who display the service name.

how can i union the avg_time2 and avg_time1 to be in the same row for a certain "vo"

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-15-2013 04:18 AM

I think you are making this far more complicated than you need to. If I understand you correctly, a simple stats (or chart or timechart) might do the trick. And avoid join - really.

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-1d@d | timechart span=1d count avg(lastLap) by vo

another option might be to use chart instead of timechart;

... | chart count avg(lastLap) over vo by date_mday

Hope this helps,

K

0 Karma
Reply

linu1988
Champion
‎08-15-2013 01:02 AM

You could use join rather than append.

index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-2d@d | chart avg(lastLap) as avg_time count by vo | eval key="1st" | fields vo avg_time count key | join host [ search index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-2d@d latest=-1d@d | chart avg(lastLap) as avg_time2 count as count2 by vo | eval key="2nd" | fields vo avg_time2 count2 ]

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...