Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make multiple searches combine into a table?

Russ
Explorer
‎08-23-2022 07:29 AM

Disclaimer - Fairly New to Splunk

I'm stuck on building a table for a dashboard.
I would like to list a table of Computer Names with columns displaying the last 5min average values for CPU% / Mem% / DiskTransfers / etc

The search is 

index=azure sourcetype="mscs:azure:eventhub:vmmetrics" body.Computer=* body.ObjectName="Processor" 
| stats first(body.CounterValue) by body.Computer



That gives me the last Processor value for each Computer. (I cant do 5min average - that can be a bonus point answer !)


How would I add the same search into the table but with replacing the body.ObjectName field value for
body.ObjectName="Memory" 
and then 
body.ObjectName="DiskTransfers" 

and then combine that into one table .

Thanks for helping 🙂

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 05:59 PM

Use chart instead of stats

| chart first(CounterValue) over body.Computer by body.CounterName

 

View solution in original post

Reply
Solved! Jump to solution

Russ
Explorer
‎08-23-2022 05:50 PM

Thanks for the reply - yes - that's going the right way. I appreciate that  answering questions, when you cant see the data is best effort.

That does produce a table ('body.objectname' has become 'body.CounterName') as you can see.

index=azure sourcetype="mscs:azure:eventhub:vmmetrics" body.Computer=* (body.CounterName="% Processor Time" OR body.CounterName="% Committed Bytes In Use" OR body.CounterName="Disk Transfers/sec")
| eval CounterValue=round('body.CounterValue',0)
| stats first(CounterValue) by body.Computer body.CounterName

Russ_4-1661301747612.png

DO you know how I would get the body.CounterName fields to be the column headers?

ComputernameCPU%MEM%DiskRate
Comp134534
Comp25562

etc

Do you join up multiple searches or perhaps transpose or can you do a Stats field by field by field?

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 05:59 PM

Use chart instead of stats

| chart first(CounterValue) over body.Computer by body.CounterName

 

Reply
Solved! Jump to solution

Russ
Explorer
‎08-24-2022 05:25 AM

Yes - chart did the trick! Thanks

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-23-2022 07:47 AM

Without the benefit of seeing your events data, try something like this:

index=azure sourcetype="mscs:azure:eventhub:vmmetrics" body.Computer=* (body.ObjectName="Processor" OR body.ObjectName="Memory" OR body.ObjectName="DiskTransfers")
| stats first(body.CounterValue) by body.Computer body.ObjectName
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...