I am trying to display in one table a difference from a performance log to a specific service from 2 diffrent times (for example : how much time a service (avg and count) took today vs yesterday)
I tried using : stats/fields/table but each time my final result is a table where the 1st avg and the 2nd avg are not in the same row
index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-2d@d | chart avg(lastLap) as avg_time count by vo | eval key="1st" | fields vo avg_time count key | append [ search index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-2d@d latest=-1d@d | chart avg(lastLap) as avg_time2 count as count2 by vo | eval key="2nd" | fields vo avg_time2 count2 ]
vo - is the field who display the service name.
how can i union the avg_time2 and avg_time1 to be in the same row for a certain "vo"
I think you are making this far more complicated than you need to. If I understand you correctly, a simple stats
(or chart
or timechart
) might do the trick. And avoid join
- really.
index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-1d@d | timechart span=1d count avg(lastLap) by vo
another option might be to use chart
instead of timechart
;
... | chart count avg(lastLap) over vo by date_mday
Hope this helps,
K
You could use join rather than append.
index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-3d@d latest=-2d@d | chart avg(lastLap) as avg_time count by vo | eval key="1st" | fields vo avg_time count key | join host [ search index=asindex source=Prod sourcetype=performance vo!=null lastLap>10000 earliest=-2d@d latest=-1d@d | chart avg(lastLap) as avg_time2 count as count2 by vo | eval key="2nd" | fields vo avg_time2 count2 ]