How to display last 24 hours data with query?

geetanjali · ‎05-17-2011

Hi,
i have my results :

Host | max(usage)

ABC | 100

xyz | 200

I want to add new column in table with max(usage) in last 24 hours by host.

| Max usage (last 24 hours)

| 90

| 200

I am using following query :
index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | stats max(Power_consumption) by host ]| chart max(Power_consumption) over host

Following error occur wit the query:-
[subsearch]: Your timerange was substituted based on your search string

If any body knows the solution, please let me know.

Thanks in advance.

OL · ‎05-17-2011

By the way, have you tried the eventstats function? It attaches a summary statistics to each event.

Regards,
Olivier

MarioM · ‎05-17-2011

Olivier is right eventstats might be a more appropriate command than "join" i suggested to you in another thread

OL · ‎05-17-2011

Hello,

I don't have the answer, but I can see a problem with the join function. It needs the field-list parameter as you can see in http://www.splunk.com/base/Documentation/latest/SearchReference/Join. In other word, you need to join your subsearch to something and the "field-list" is the common link between both search.

Hope it helps.

Regards,
Olivier

How to display last 24 hours data with query?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk