Splunk Search

How to combine my 2 searches?

bosch_softtec
Path Finder

Hi,

splunk Version 6.5.0

I try to combine 2 seaches and get 1 result of them, I tried the following without any success, maybe it's only wrong syntax I used:

index=rabbitmq | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Total | join [index=rabbitmq earliest=-60 | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Online] | eval difference=Total-Online

also I tried:

index=rabbitmq | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Total | append [index=rabbitmq earliest=-60 | search properties_key="lsg*" | stats count by vhost, properties_key | table vhost | stats count(vhost) as Online] | eval difference=Total-Online

What did I wrong?

Thanks for your tips and answers

0 Karma
1 Solution

twinspop
Influencer

A few things: I don't understand what you're trying to do with the first 2 stats() commands. A count of properties_key? Maybe you want to use dc()? I'm leaving it as is, mostly. In any case, the first 2 search terms can definitely come together, and the table command doesn't do anything for you. When you have a sub search, you must explicitly declare the search command to use -- in this case, search. But I don't see that you're "join"ing any data. Probably appendcols is what you want?

index=rabbitmq properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Total | appendcols [search index=rabbitmq earliest=-60 properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Online] | eval difference=Total-Online

I hope this helps.

View solution in original post

0 Karma

twinspop
Influencer

A few things: I don't understand what you're trying to do with the first 2 stats() commands. A count of properties_key? Maybe you want to use dc()? I'm leaving it as is, mostly. In any case, the first 2 search terms can definitely come together, and the table command doesn't do anything for you. When you have a sub search, you must explicitly declare the search command to use -- in this case, search. But I don't see that you're "join"ing any data. Probably appendcols is what you want?

index=rabbitmq properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Total | appendcols [search index=rabbitmq earliest=-60 properties_key="lsg*" | stats count by vhost, properties_key | stats count(vhost) as Online] | eval difference=Total-Online

I hope this helps.

0 Karma

bosch_softtec
Path Finder

Thanks for the dc() and table hint, I'll check it.
Your adapted search is working with appendcols.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...