Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Join two searches and draw them on the same chart

baranova
New Member
‎06-02-2014 01:03 AM

Hello guys ,

I kinda need your help , i spend some time on this query and i don't really see how to do that ( tried join ad add column )

Here is an example of my table :

Sold on Bought on Car
aug14 oct12 Ferrari
july14 sept13 Lamborghini
sept13 aug13 Porsh
nov13 oct13 Mercedes

The thing i wanna do is to show for each month ( i know how to do that ) the number of cars bought AND sold . The car doesn't mar

So basically i have to count sold on and Car for each of the months , and the same thing for car and bought .

But how to join them ?? ...

Thanks a lot !

Tags (2)
0 Karma
Reply

MuS
Legend
‎06-02-2014 02:10 AM

Hi baranova,

take this run everywhere example, this will take events from two sources and displays them according to first day and last day of the week they were seen and lists them by mySeries

index=_internal source=*metrics.log OR source=*splunkd.log ( series OR WatchedFile ) earliest=-7d@d 
| eval mySeries=coalesce(file,series) 
| stats first(date_wday) AS first_week last(date_wday) AS last_week count by mySeries

What happens here is that the first line filters the events from two sources for series OR WatchedFile, the eval is used to create a new field either using the file (from splunkd.log) or the series (from metrics.log), last the stats is used to count and display the result.

Adapted to your search and assuming you have fields ready for Sold on, Bought on and Car try something like this:

 your base search to get all needed events
| stats first(Bought_on) AS Bought last(Sold_on) AS Sold count by Car

hope I did get your question right and this helps to get you started ...

btw, try to avoid field names with spaces in it.

cheers, MuS

0 Karma
Reply

baranova
New Member
‎06-02-2014 02:43 AM

Hello and thanks a lot for your reply !

It's close with the thing i want , unfortunately I can't count by Car .

Basically here is the results i Need

august 13 sold 577 Bought 600
september 13 sold 400 bought 500

But again , thanks for the quick reply !

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...