@devsru wrote: thanks @yuanliu The Solution seems working but i am getting extra fields. For Example In the below query I am getting results for SPL after append command then why i am seeing empty fields of the first search Filesystem, MountedON etc. | mstats latest(df_metric.Used_KB) as "Used_KB", latest(df_metric.Avail_KB) as "Avail_KB", latest(df_metric.UsePct) as "UsePct", WHERE (`itsi_entity_type_ta_nix_metrics_indexes`) AND host=* (earliest="-5m" latest="now") by Filesystem, MountedOn, Type | eval UsePct=round(UsePct,2), Used_KB=round(Used_KB), Avail_KB=round(Avail_KB) | append [ | mstats min("LogicalDisk.%_Free_Space") prestats=true WHERE (`itsi_entity_type_windows_metrics_indexes`) AND host=* span=1m AND NOT "instance"="_Total" by instance | timechart span=1m min("LogicalDisk.%_Free_Space") as val by instance | eval val=100-val | fields - _time | head 1] This is getting all too confusing. In the original question, both searches ends with xyseries. That is why my proposed combined search ends with xyseries. The above code has no xyseries. In the original question, both searches are reduced to contain the same three fields: _time, val, and instance. Therefore my proposed combined search contains the same three fields before append and inside append. In the above code, only the part inside append is reduced to three fields; the part before append contains "Used_KB", "Avail_KB", "UsePct", "Filesystem", "MountedOn", and "Type". How are these reduced to val and instance? In the original question, both mstats commands have a "span=1m" clause, meaning that output would contain rows in 1-minute increment of the search window. That's why my proposed combined search runs xyseries against _time as specified in the two original searches. The above code has no span=1m in the main search, and explicitly removes _time from the appended search. This totally changes the question. Therefore whatever result you get from the above code has no relationship to the original question. You should start a different question, carefully describe/illustrate the data after mstats, carefully illustrate what kind of results you are looking for, and describe the logic between data and desired results. In the form of the above code, your header would have contained "Used_KB", "Avail_KB", "UsePct", "Filesystem", "MountedOn", and "Type" (all from the first search), "val", and "instance" (from appended search). This would have give you header rows "Used_KB", "Avail_KB", "UsePct", "Filesystem", "MountedOn", "Type", "val", and "instance", NOT "Used_KB", "Avail_KB", "UsePct", "Filesystem", "MountedOn", "Type", "C:", "D:", "E:", "HarddiskVolume1", and "HarddiskVolume2" as the screenshot shows. In other words, the above code could not have produced the screenshot. What is the real code that produced the that screenshot? If, as the screenshot shows, "Used_KB", "Avail_KB", "UsePct", "Filesystem", "MountedOn", and "Type" are all blank, it only means that the search before append gives all null output, i.e., | mstats latest(df_metric.Used_KB) as "Used_KB", latest(df_metric.Avail_KB) as "Avail_KB", latest(df_metric.UsePct) as "UsePct", WHERE (`itsi_entity_type_ta_nix_metrics_indexes`) AND host=* (earliest="-5m" latest="now") by Filesystem, MountedOn, Type
| eval UsePct=round(UsePct,2), Used_KB=round(Used_KB), Avail_KB=round(Avail_KB) is simply blank. If so, what is the point of running it with append? Additionally, if you only care about removing "Used_KB", "Avail_KB", "UsePct", "Filesystem", "MountedOn", and "Type" from final display, you should run fields - "Used_KB", "Avail_KB", "UsePct", "Filesystem", "MountedOn", "Type" after append, not inside append. Could you reconcile the above to the original question? If the original question is not the real question, start a different question. Carefully describe/illustrate the data after mstats, carefully illustrate what kind of results you are looking for, and describe the logic between data and desired results.
... View more
