Hi, I am facing problem with multiple subqueries i...

toabhishek16 · ‎09-30-2014

Query "index=idx1 sourcetype=src1 sender="xyz" | timechart count as res1" showing results properly, and

Query "index=idx1 sourcetype=src1 sender="abc" | timechart count as res2" not showing any result.

when I am trying to combine both the queries as below:
index=idx1 sourcetype=src1 sender="xyz" | timechart count as res1 | appendcols [search index=idx1 sourcetype=src1 sender="abc" | timechart count as res2] | fillnull res1, res2

it is giving result, but no value for _time field .

how I can get values for _time field.

pls help me....

ltrand · ‎09-30-2014

Joined Query
"index=idx1 sourcetype=src1 sender="xyz" OR sender="abc" | timechart count by sender

This is significantly more efficent than the options above. It makes a single pass in the index and sourcetype to pull the data and populates the chart. Before you have to query the same data twice to pull information. Then you have to join the two results before charting.

somesoni2 · ‎09-30-2014

Try something like this

index= idx1 sourcetype=src1 sender="abc" OR sender="xyz" | timechart count(eval(sender="abc") as res1 count(eval(sender="xyz") as res2

linu1988 · ‎09-30-2014

Hello,
Rather than appending the result

just do the below

index=idx1 sourcetype=src1 OR sourcetype=src2|timechart count by sourcetype

Thanks,
L

Hi, I am facing problem with multiple subqueries in timechart. it is not showing the value for _time field.

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...