Hi,
i have my results :
Host | max(usage)
ABC | 100
xyz | 200
I want to add new column in table with max(usage) in last 24 hours by host.
| Max usage (last 24 hours)
| 90
| 200
did you try join?
| join [ search <yoursearch> earliest=-24h | stats max(usage) by host ]
My initial search is for max consumption for entire log. But in subsearch, want maximum comsumption in last 24 hours.
Host | max(usage) | Max usage (last 24 hours)
ABC | 100 | 90
xyz | 200 | 90
your initial search is same as you subsearch then subsearch is not needed,this should be enough:
index="power" sourcetype="power_usage" earliest=-24h | chart max(Power_consumption) over host
Hi,
I am writing following query :
index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | table Power_consumption by host ]| chart max(Power_consumption) over host
Its again giving following error:-
[subsearch]: Your timerange was substituted based on your search string
what is timerange of your initial search? just add the corresponding earliest= to this initial search too.
Hi,
Thanks for the solution. I have implemented this in my query. its giving following error :
[subsearch]: Your timerange was substituted based on your search string