|
Hi, i have my results : Host | max(usage) ABC | 100 xyz | 200 I want to add new column in table with max(usage) in last 24 hours by host. | Max usage (last 24 hours) | 90 I am using following query : index="power" sourcetype="power_usage" | join [ search index="power" sourcetype="power_usage" earliest=-24h | stats max(Power_consumption) by host ]| chart max(Power_consumption) over host Following error occur wit the query:- [subsearch]: Your timerange was substituted based on your search string If any body knows the solution, please let me know. Thanks in advance. |
|
By the way, have you tried the eventstats function? It attaches a summary statistics to each event. Regards, Olivier Olivier is right eventstats might be a more appropriate command than "join" i suggested to you in another thread
(17 May '11, 06:59)
MarioM
|
|
Hello, I don't have the answer, but I can see a problem with the join function. It needs the field-list parameter as you can see in http://www.splunk.com/base/Documentation/latest/SearchReference/Join. In other word, you need to join your subsearch to something and the "field-list" is the common link between both search. Hope it helps. Regards, Olivier |