splunksplunk-querysplunk-formulasplunk-calculationsplunk-dashboard

Splunk: Combining multiple chart queries to get a single table

As on today we have two queries that are running 

1st query: Count of api grouped by apiName and status

index=aws* api.metaData.pid="myAppName"
| rename api.p as apiName
| chart count BY apiName "api.metaData.status"
| multikv forceheader=1
| table apiName success error NULL

which displays a table something like shown below

=====================================
| apiName|| success || error || NULL|
=====================================
| Test1  || 10      || 20    || 0   |
| Test2  || 10      || 20    || 0   |
| Test3  || 10      || 20    || 0   |
| Test4  || 10      || 20    || 0   |
| Test5  || 10      || 20    || 0   |
| Test6  || 10      || 20    || 0   |

2nd query : latency of api grouped by apiName

index=aws* api.metaData.pid="myAppName" 
| rename api.p as apiName 
| rename api.measures.tt as Response_Time 
| chart min(Response_Time) as RT_fastest max(Response_Time) as RT_slowest by apiName
| table apiName RT_fastest RT_slowest

which displays a table something like below

======================================
| apiName || RT_fastest || RT_slowest|
======================================
| Test1   || 141        || 20        |
| Test2   || 10         || 20        |
| Test3   || 10         || 20        |
| Test4   ||  0         || 20        |
| Test5   || 10         || 20        |
| Test6   || 10         || 20        |

Question:

If you see the above tables, both tables are grouped with apiName. Is there a way to combine these queries so that i get a single result something like this

|=================================================================| | apiName || success || error || NULL || RT_fastest|| RT_slowest | ================================================================= | | Test1 || 10 || 20. || 20. || 20. || 20. | | Test2 || 10 || 20. || 20. || 20. || 20. | | Test3 || 10 || 20. || 20. || 20. || 20. | | Test4 || 10 || 20. || 20. || 20. || 20. | | Test5 || 10 || 20. || 20. || 20. || 20. | | Test6 || 10 || 20. || 20. || 20. || 20. |

  I could not find any documentation regarding combining multiple chart query into one. Could someone please help me with this. Thanks :)

Solution

  • The challenge here is the two queries use different groupings - apiName and status in query1 and apiName alone in query2. Simply combining the two chart commands is not possible.

    We can, however, append the second query to the first and then merge the results. Try this:

    index=aws* api.metaData.pid="myAppName"
| rename api.p as apiName
| chart count BY apiName "api.metaData.status"
| multikv forceheader=1
| table apiName success error NULL
| append [ search index=aws* api.metaData.pid="myAppName" 
  | rename api.p as apiName 
  | rename api.measures.tt as Response_Time 
  | chart min(Response_Time) as RT_fastest max(Response_Time) as RT_slowest by apiName
  | table apiName RT_fastest RT_slowest ]
| stats values(*) as * by apiName
| table apiName success error NULL RT_fastest RT_slowest