- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Single result out of multiple queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As part of an application we're trying to develop, we want to be able to track multiple event types (requests per hour, sales per hour, etc) and from those generate a higher level metric (conversions, for example). Ideally, we would want to run each query independently, and then generate and show the higher level metric based on those results. Is there any way within the app framework to pull values out of a query or search and combine it with values from other queries/searches without actually combining the queries?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found a workable solution using the outputlookup command. I can run each query in a HiddenSearch and use outputlookup to write the outputs to .csv files, then read and work with them in the HTML5/JavaScript to generate the higher order metrics.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found a workable solution using the outputlookup command. I can run each query in a HiddenSearch and use outputlookup to write the outputs to .csv files, then read and work with them in the HTML5/JavaScript to generate the higher order metrics.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use the join command to combine the results of different searches.
http://docs.splunk.com/Documentation/Splunk/5.0.3/SearchReference/Join
Simple Example:
index=anindex sourcetype="asourcetype" | join join_field [search index=anotherindex sourcetype="bsourcetype"]
(Very) Complex Example:
index=anindex sourcetype="asourcetype" | join type=left max=0 join_field [search index=anotherindex (sourcetype="b1sourcetype" OR sourcetype="b2sourcetype")] | where search_field="foobar" | eval found_join=if(isnull(anotherfield), "not joined", "joined") | fields join_field, search_field, found_join, anotherfield
PS: Maybe you also want to take a look at how to use subsearches:
http://docs.splunk.com/Documentation/Storm/Storm/User/Useasubsearch
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the useful link, but that was unfortunately exactly what I was trying not to do. What I want is to run several searches independent of each other, pull a single value or set of values out of each search and from those values calculate a new value.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
