Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show a chart based on host found in another search

chadman
Path Finder
‎07-21-2016 09:02 AM

Ok, So I have two searches that work great. One will find computers with slow ping times. The other will create a chart of the ping times based on one host name. I would like somehow combine these two search's, but not sure how to do it. I would like my end result to be a chart that shows all the computers with slow ping times on one chart that plots there ping times.

Here is a search I use to grab the computers I would like to chart.

sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host,Count

And here is the chart I use to for one computer.

sourcetype="search1" host=$desktop$ | timechart avg(internal_time) as "Ping Time"
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-21-2016 09:08 AM

How about this?

sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-21-2016 11:04 AM

Like this:

index=blah sourcetype="search1" [index=blah sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) AS "Ping Time" BY host
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-21-2016 09:21 AM

Suggestion - it's always better to specify the index name. You can see the difference just by adding the index name to your searches.

Try this

index=yourindex sourcetype="search1" [search index=yourindex sourcetype="search1" earliest=-15m internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) as "Ping Time" by host
0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
‎07-21-2016 10:13 AM

Thanks for the tip! You solution also did what I was looking for. I was trying you approach at first, but could not get the syntax correct.

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-21-2016 09:08 AM

How about this?

sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3
0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
‎07-21-2016 09:59 AM

Thanks worked great!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...