Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine my two tstats searches?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
abbam
Explorer
04-04-2016
01:55 AM
Hi,
Wondering if someone could help me here, I'm trying to join two tstats searches together.
I basically want to get a result 120 minutes ago and a result for the last 60 minutes based on hosts.
Here is the search:
| tstats summariesonly=t prestats=t count as old from datamodel=Web WHERE earliest=-120m latest=-60m by host | stats count as old by host | tstats summariesonly=t prestats=t append=t count as new from datamodel=Web WHERE earliest=-60m latest=now by host | stats count as new by host
Any idea why this doesn't work?
Thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-04-2016
08:26 AM
Try like this
| tstats summariesonly=t prestats=t count from datamodel=Web WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart sum(count) over host by Period
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-04-2016
08:26 AM
Try like this
| tstats summariesonly=t prestats=t count from datamodel=Web WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart sum(count) over host by Period
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
abbam
Explorer
04-05-2016
03:00 AM
Thanks for that.
Afraid it doesn't work. sum(count) has no values, but I know there are numbers there because I can do it without using the datamodel.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
04-05-2016
03:03 AM
Maybe this will help https://answers.splunk.com/answers/215346/best-practices-to-join-two-child-objects-of-a-data.html ?
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
abbam
Explorer
04-05-2016
03:01 AM
Managed to fix it by,
| tstats summariesonly=t prestats=t count from datamodel=Matin WHERE earliest=-120m@m latest=@m by host _time span=1m | eval Period=if(_time>relative_time(now(),"-60m@m"),"New","Old") | chart count over host by Period
Thanks!!!!!
Get Updates on the Splunk Community!
Detecting Remote Code Executions With the Splunk Threat Research Team
REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...
Observability | Use Synthetic Monitoring for Website Metadata Verification
If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
