- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine my two searches and run another sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Request any help for the below questions:
1) I have two different searches:
sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS
Results:
DEQUEUE_ERROS
100
sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers
Results:
Consumers
200
I want to combine both searches and get results like below:
DEQUEUE_ERROS 100
Consumers 200
Can you please help with the search?
Another question: I'm preparing a dashboard based on the above results and if I click on consumers, it has to execute another search below. Is that possible? If so, can you provide some guidance.
sourcetype=bcd operation=* ConsumerServices="*" host=abcd*p |stats count by ConsumerServices | sort -count
Any help is appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One option, if your data volume is not too large, would be to use appendcols. Try this.
sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]
This will give you two columns - DEQUEUE_ERROS & Consumers.
In your dashboard (assuming tabular display), you could use conditional drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...
So in your case, it would look like this
<drilldown>
<condition field="Consumers">
<link>http://www.google.com</link>
</condition>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One option, if your data volume is not too large, would be to use appendcols. Try this.
sourcetype=bcd "JMS-120: Dequeue failed" OR "JMS-131: Session is closed" OR "Dequeue failed" source="servers/A_MS*/logs/SS*-diagc.log" destination="*" |stats count | RENAME count as DEQUEUE_ERROS | appendcols [search sourcetype=bcd operation=* host=abcd*p |stats count |RENAME count as Consumers]
This will give you two columns - DEQUEUE_ERROS & Consumers.
In your dashboard (assuming tabular display), you could use conditional drilldown.
http://docs.splunk.com/Documentation/Splunk/6.2.1/Viz/PanelreferenceforSimplifiedXML#condition_.28dr...
So in your case, it would look like this
<drilldown>
<condition field="Consumers">
<link>http://www.google.com</link>
</condition>
</drilldown>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Than You ! It is showing the correct statistics , but when it comes to visualization , it is showing up wrong line graph to me , it is showing , x-axis as consumers and Y-axis as Dequeue errors ?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
