![]() The problem is that this particular query returns only 1 value that is the average and maximum value of CPU load and max of all my hosts. where the message is processed by a pipeline of different steps/processes and at a certain point, a new processing. | stats avg(value) as AvgCPU, max(value) as MaxCPU, values(unit) as Unit, sparkline(avg(value)) as Trend You should be able to do this by specify multiple fields in Splunks join command: sourcetypetest1 fields col1,col2 join col1,col2 search sourcetypetest2 fields col1,col2,col3 View solution in original post. [ search index=my_index sourcetype="metrics" timeseriesId="" | stats values(discoveredName) as hostName Index=my_index sourcetype="entity" hostGroup.name=$hostGroup_token$ So I tried combining the two queries using the mvexpand command : | stats values(discoveredName) as hostName by hostGroup.name 1 I want to make time chart table like this: Currently I using two queries 1.Get transaction column : sourcetype'mysource' host'myhost' timechart count span1h 2.Get transactionsuccess column : sourcetype'mysource' host'myhost' status'2' timechart count span1h Then combine them manually with Excel. In Kusto, it's used as part of extend or project. (1) In Splunk, the function is invoked by using the eval operator. You can create new source types on the Splunk platform in several ways: Use the Set Source Type page in Splunk Web as part of adding the data. Index=my_index sourcetype="entity" hostGroup.name="*" Structure and concepts The following table compares concepts and data structures between Splunk and Kusto logs: Functions The following table specifies functions in Kusto that are equivalent to Splunk functions. One way Splunk can combine multiple searches at one time is with the append. This query returns the average and maximum CPU load per host, which is the result I'm trying to get to, but sorted by HostGroup.Īnd the only way for me to filter hosts by HostGroup is to use this query : set diff search indexidx2 sourcetypesrc dedup A search indexidx1. | eval AvgCPU = round(AvgCPU,2), MaxCPU = round(MaxCPU, 2)] | stats avg(value) as AvgCPU, max(value) as MaxCPU, values(unit) as Unit, sparkline(avg(value)) as Trend by hostName Index=my_index sourcetype="metrics" timeseriesId="" I'll link the 2 queries and an explaination of the results, as for the combination I tried to make of the 2 queries. But the HostGroups are only linked to hosts in sourcetype=entity, and the value of CPU loads are located in sourcetype=metrics. The most common use of the OR operator is to find multiple values in event data, for example, foo OR bar. How would the ORed search be applied ie: search sourcetypea rex a. I would like to get the CPU load and maximum (s well as a trend line) of all my hosts, filtered by HostGroup. Question: when you state natural label we have the same source type and host but different rex statements after that. yoursourcetype TRANSFORMS-overridesourcetype overridesourcetype1, overridesourcetype2. ![]() I was able to combine both the source types but hadn't been successful in appending the column values from the second source, basically I tried eval (if condition match), append cols etc.I am encountering problems joining 2 querries that are getting values from 2 different sourcetypes. In few words, you have to identify the regexes for each destination sourcetype and then put in your Indexers or (if present) in your Heavy Forwarders: nf. Basically I am displaying a table to show all the necessary fields from the first source type and just append a column with values from the second source type (based on the matching condition - locomotive number). Sourcetype 1 : ITCM (trace log files) and for a given Locomotive number, go and find the events from Second source type and retrieve some info (example district name) and append to the column of the first. I have a requirement to combine values from both. I have discussed their different use cases in details. I have 2 source types, one being XML and other being a trace log file events. In this video I have discussed about three commands 'join', 'map' and 'selfjoin'.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |