Hello,
i have to following problem.
I have one search, listing me some hosts and their matching environment, search range: all time.
index=idx_stats | top limit=10000 host,envi | fields - count,percent
And i have a second search, for the last 7 days, that delivers me the "per_host_thruput" from out of the Splunk _internal index. I want to match now those by host and day results with the list of host and environments above. How can i achieve that?
index="_internal" source="*metrics.log" group="per_host_thruput" | eval date=strftime(_time, "%F") | chart sum(kb) over series by date
There are several ways to do this, depending on how you want the resulting chart (or table?) to look. So more information would be helpful. But here is a start
index=idx_stats earliest=0
| stats values(envi) by host
| join host [ search index="_internal" source="*metrics.log" group="per_host_thruput" earliest=-7d
| eval date=strftime(_time, "%F")
| rename series as host
| chart sum(kb) over host by date ]
Well, you are searching idx_stats over all time. How big is this index?
Second, do these searches work individually? How long do they take to run?
index=idx_stats earliest=0
| stats values(host) by envi
and
index="_internal" source="*metrics.log" group="per_host_thruput" earliest=-7d
| eval date=strftime(_time, "%F")
| rename series as host
| chart sum(kb) over host by date
Maybe...if i use a macro?
Hey, that was quick! Thank you.
I tried it the other way round, because i am interested in the GB not per Host but per "envi". But i didn´t get it to work. You suggested solution doesn´t unfortunately work either. I think the main problem are also the different time ranges for the search. The index=idx_stats search goes for a very long time, the other search is only 7 days.