Splunk append not working as expected?

StackOverflow https://stackoverflow.com/questions/20404478

  •  29-08-2022
  •  | 
  •  

Question

If I understood correctly append returns the result in the same row as the previous query. Anyone knows why I get 2 separate rows in my results: 1 row with the foo number and another with the bar number? And no DiffPercent?

earliest=-5m@m latest=@m <my query> |stats sum(eval(MessageCount)) as foo | append [search earliest=-10m@m <same query> |stats sum(eval(MessageCount)) as bar] | append [eval DiffPercent = (bar - foo) / bar * 100]

enter image description here

Was it helpful?

Solution

Answered here: http://answers.splunk.com/answers/113880/append-showing-result-in-new-row

earliest=-5m@m latest=@m <my query> 
|stats  sum(eval(MessageCount)) as foo 
| eval title="5minutesago"
| append [  
search earliest=-10m@m <same query> 
|stats sum(eval(MessageCount)) as bar 
| eval title="10minutesago"
] 
| stats values(foo) AS foo values(bar) AS bar 
| eval DiffPercent = (bar - foo) / bar * 100
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top