Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Show a chart based on host found in another search

chadman
Path Finder
‎07-21-2016 09:02 AM

Ok, So I have two searches that work great. One will find computers with slow ping times. The other will create a chart of the ping times based on one host name. I would like somehow combine these two search's, but not sure how to do it. I would like my end result to be a chart that shows all the computers with slow ping times on one chart that plots there ping times.

Here is a search I use to grab the computers I would like to chart.

sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host,Count

And here is the chart I use to for one computer.

sourcetype="search1" host=$desktop$ | timechart avg(internal_time) as "Ping Time"
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-21-2016 09:08 AM

How about this?

sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎07-21-2016 11:04 AM

Like this:

index=blah sourcetype="search1" [index=blah sourcetype="search1" earliest=-15m | where internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) AS "Ping Time" BY host
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-21-2016 09:21 AM

Suggestion - it's always better to specify the index name. You can see the difference just by adding the index name to your searches.

Try this

index=yourindex sourcetype="search1" [search index=yourindex sourcetype="search1" earliest=-15m internal_time > 250 | stats count(internal_time) as Count by host | where Count > 3 | dedup host| table host] | timechart avg(internal_time) as "Ping Time" by host
0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
‎07-21-2016 10:13 AM

Thanks for the tip! You solution also did what I was looking for. I was trying you approach at first, but could not get the syntax correct.

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎07-21-2016 09:08 AM

How about this?

sourcetype="search1" earliest=-60m@m | where internal_time > 250 | bin span=15m _time | stats count(internal_time) as Count avg(internal_time) as "Ping Time" by _time host | where Count > 3
0 Karma
Reply
Solved! Jump to solution

chadman
Path Finder
‎07-21-2016 09:59 AM

Thanks worked great!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...