- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to join fields from two different indexes and ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to join fields from two different indexes and times?
Hello,
i have to following problem.
I have one search, listing me some hosts and their matching environment, search range: all time.
index=idx_stats | top limit=10000 host,envi | fields - count,percent
And i have a second search, for the last 7 days, that delivers me the "per_host_thruput" from out of the Splunk _internal index. I want to match now those by host and day results with the list of host and environments above. How can i achieve that?
index="_internal" source="*metrics.log" group="per_host_thruput" | eval date=strftime(_time, "%F") | chart sum(kb) over series by date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are several ways to do this, depending on how you want the resulting chart (or table?) to look. So more information would be helpful. But here is a start
index=idx_stats earliest=0
| stats values(envi) by host
| join host [ search index="_internal" source="*metrics.log" group="per_host_thruput" earliest=-7d
| eval date=strftime(_time, "%F")
| rename series as host
| chart sum(kb) over host by date ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, you are searching idx_stats over all time. How big is this index?
Second, do these searches work individually? How long do they take to run?
index=idx_stats earliest=0
| stats values(host) by envi
and
index="_internal" source="*metrics.log" group="per_host_thruput" earliest=-7d
| eval date=strftime(_time, "%F")
| rename series as host
| chart sum(kb) over host by date
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe...if i use a macro?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, that was quick! Thank you.
I tried it the other way round, because i am interested in the GB not per Host but per "envi". But i didn´t get it to work. You suggested solution doesn´t unfortunately work either. I think the main problem are also the different time ranges for the search. The index=idx_stats search goes for a very long time, the other search is only 7 days.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
