Need help merging 2 stats outputs to one chart to ...

fonteca · ‎01-07-2015

Here is what the code looks like separate,

(my search) | stats sum(bytes) by src_ip | sort 5 -bytes

and

(my search) | stats sum(bytes) by dst_ip | sort 5 -bytes

I basically want to merge both of these outputs onto one graph so I don't have two separate graphs, (for space sake)

I have tried a combination of filters, append, appendcol, streamstats and I have had no luck yet.

Thanks for any/all help

somesoni2 · ‎01-12-2015

Just in case you're still interested in that panel, try this

(your base search) | eval IPAddr=src_ip." ".dst_ip | makemv IPAddr | stats sum(bytes) as Bytes by IPAddr

fdi01 · ‎01-08-2015

or

(my search) | streamstats sum(bytes) as sum_bytes_src_ip by src_ip| appendcols [search (my search)
| streamstats sum(bytes) as sum_bytes_dst_ip by dst_ip]
|table sum_bytes_src_ip src_ip sum_bytes_dst_ip dst_ip

Raghav2384 · ‎01-07-2015

(my search) |stats sum(bytes) as Bytes by src_ip,dst_ip

Thanks,
Raghav

fonteca · ‎01-12-2015

Thanks for your help, fdi01 and Raghav2384. I have attempted both of your solutions and couldn't reach the desired outcome I was looking for. So thusly I have decided to scrap this panel in favor of a different one. I would like to thank you both for your help though, it was much appreciated.

Need help merging 2 stats outputs to one chart to get a total bytes count over time per source and destination

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!