Solved: Join subsearch and realtime

timmalos · ‎08-21-2013

Got 2 input datas, one pulled every two minutes and the other every 10 minutes.
I would like to have a table containing columns from the two datas (= 2 sourcetypes) in real-time

I used appendcols like this :

sourcetype="cswports" host=sanlacsw2|dedup swFCPortIndex sortby -_time|sort +swFCPortIndex | appendcols [sourcetype="cswports-sfp" host=sanlacsw2 |dedup swSFPId sortby -_time|sort +swFCPortIndex]|table _time swFCPortIndex swFCPortSpecifier swFCPortPhyState swSFPTemp swSFPVoltage swSFPCurrent

But the subsearch is not in real-time.
Do you see another way?
Thxs for your help,

Datas look like : (each line=One port)
Sourcetype=CSWPorts

Sourcetype=CSWPorts-SFP

dart · ‎08-27-2013

Does something like this work for your usecase?

sourcetype="cswports" OR sourcetype="cswports-sfp" host=sanlacsw2 | stats first(_time) first(swFCPortSpecifier) first(swFCPortPhyState)  first(swSFPTemp) first(swSFPVoltage) first(swSFPCurrent) by swFCPortIndex

I'm not sure if you want first() or last() in your search

View solution in original post

dart · ‎08-27-2013

Does something like this work for your usecase?

sourcetype="cswports" OR sourcetype="cswports-sfp" host=sanlacsw2 | stats first(_time) first(swFCPortSpecifier) first(swFCPortPhyState)  first(swSFPTemp) first(swSFPVoltage) first(swSFPCurrent) by swFCPortIndex

I'm not sure if you want first() or last() in your search

timmalos · ‎08-27-2013

was last() but thks !

Join subsearch and realtime

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor