Splunk Search

How To Join Results From Multiple Searches

theironcook
Explorer

I'm trying to create a simple control chart (where I show a line 3 standard deviations away from the mean). I just need to calculate what the standard deviation is for my entire set of data, multiply by 3 and plot the line along with my data.

Originally I tried to use a pivot because I used DataSets for speed but eventually gave up.

Now I'm trying the search syntax and it appears like the "append" command is what I need.

host=serverName sourcetype=http_access_log | append [search host=serverName sourcetype=http_access_log | stats stdev(ResponseTime) as TotalStdDev] | table _time host ResponseTime TotalStdDev

I'm just trying to generate a simple table to start with that has the TotalStdDev copied for each entry. Maybe then I can start aggregating based on days. But I can't even get the total standard deviation for the entire data set into my table.

Any suggestions out there?
Thanks,

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

host=serverName sourcetype=http_access_log | eventstats stdev(ResponseTime) as TotalStdDev | table _time host ResponseTime TotalStdDev

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

host=serverName sourcetype=http_access_log | eventstats stdev(ResponseTime) as TotalStdDev | table _time host ResponseTime TotalStdDev

theironcook
Explorer

Nice! Thanks MuS and somesoni2!
I went with the eventstats option. It works beautifully.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi theironcook,

take a look at this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... it provides some examples how it can be done. The answer is not limited to two source ... it can be applied to endless events.

Hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...