I'm using a dashboard to display the state of some services. For this purpose, I must takes single values from many searches to obtain a final value, like value = valu1 * value2 * value3 ... valuen
The searches are like:
Search1:
search index=index1 sourcetype=source1 earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?.),(?.)...(?.)"
| eval value1=State_01*State_02* ... *StateNN
Search2:
search index=index2 sourcetype=source2 earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?.),(?.)...(?.)"
| eval value2=State_01*State_02* ... *StateNN
.
.
.
SearchN:
search index=indexN sourcetype=sourceN earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?.),(?.)...(?.)"
| eval valueN=State_01*State_02* ... *StateNN
and finally,
| eval value=value1*value2*...*valueN
Each search works fine separately, but not together. I was using join, like this:
search index=index1 sourcetype=source1 earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?.),(?.)...(?.)"
| eval value1=State_01*State_02* ... *StateNN
| join value2
[ search index=index2 sourcetype=source2 earliest=-30m latest=now() | head 1
| rex field=_raw "State 1 (?.),(?.)...(?.)"
| eval value2=State_01*State_02* ... *StateNN ]
| eval value=value1*valu2
And Splunk keeps telling me **No results found**. What I'm doing wrong?
Regards,
Pedro
↧