Reputation: 381
show results from two splunk queries into one
I have two separate splunk queries: 1st Query : Outputs unique user count in last 24 hours 2nd Query : Outputs unique users count in last 24 hours in geo = US
I want to create a timechart that will show , a line chart with % of user everyday from US.
How can this be achieved.
Upvotes: 5
Views: 10955
Answers (3)
Reputation: 87
Can you anonymize your data, and show the query here? There's lots of ways to do this in Splunk, but we will need a bit more to go on.
for example
Query: index=myindex sourcetype=mySourcetype | stats count dc(ip) as userTotal | append [ index=myindex sourcetype=mySourcetype region=US | stats dc(ip) as USTotal]
Upvotes: 0
Reputation: 11
You can use a conditional to count those from US
Example query:
index=data | timechart dc(user) as dc_user, dc(eval(if(geo=US,user,NULL))) as us_user | eval perc_us=round(us_user/dc_user*100,2) | table _time, perc_us
Alternatively you can use the SPL join command but that would be less efficient as it would have to read the data twice and join the results.
Upvotes: 1
Reputation: 18958
You can join the two queries by using :
|
So your query can look like this:
{firstQuery} as countUS| {secondQuery} as countTotal | eval perc=countUS/countTotal
Upvotes: 5
Related Questions
- SPLUNK use result from first search in second search
- Splunk how to display multiple stats queries in table?
- Output of 1 query to be used a input of another to get results
- Splunk join two query to based on result of first query
- Join two Splunk queries without predefined fields
- Splunk query do not return value for both columns together
- How to merge two stats by in Splunk?
- Splunk query based on the results of another query
- How to append two queries in splunk?
- How to combine two queries in Splunk?