https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/319000#M59609 <P>HI</P> <P>sorry the exact request is :<BR /> index="wineventlog" sourcetype="wineventlog:<EM>" SourceName="</EM>" Type="Critique" OR Type="Avertissement" | dedup host | stats count | rename count AS "Number of machines" | eventstats sum(count) as Total | eval percent=round((count/Total)*100,1) | eval host=host."(count: ".count.", percent: ".percent.")" | fields - count</P> Thu, 12 Apr 2018 03:20:42 GMT jip31 2018-04-12T03:20:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318993#M59602 <P>hello</P> <P>I use the request below for retrieving some information from the Windows event viewer but in my dashboard, I need to aggregate other information from another sourcetype.<BR /> This sourcetype comes from another sourcetype ([WinHostMon://computer]] or from WMI.conf ([WMI:Computer])<BR /> My question is. how to aggregate data in my SPL command for these 2 cases?<BR /> Thanks</P> <PRE><CODE>index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement" | dedup host | stats count | rename count AS "Number of machines" | eventstats sum(count) as Total | eval percent=round((count/Total)*100,1) | eval host=host."(count: ".count.", percent: ".percent.")" | fields - count Total index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement" | dedup host | stats count | rename count AS "Number of machines" | eventstats sum(count) as Total | eval percent=round((count/Total)*100,1) | eval host=host."(count: ".count.", percent: ".percent.")" | fields - count Total index="wineventlog" sourcetype="wineventlog:*" SourceName="*" Type="Critique" OR Type="Avertissement" | dedup host | stats count | rename count AS "Number of machines" | eventstats sum(count) as Total | eval percent=round((count/Total)*100,1) | eval host=host."(count: ".count.", percent: ".percent.")" | fields - count Total </CODE></PRE> <HR /> <P>We formatted your code so it was easier to see the three queries.</P> Tue, 10 Apr 2018 13:04:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318993#M59602 jip31jip31 2018-04-10T13:04:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318994#M59603 <P>Is there any common field present in all sourcetype?</P> Tue, 10 Apr 2018 13:33:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318994#M59603 p_gurav 2018-04-10T13:33:16Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318995#M59604 <P>Did your query get mangled by the forum? It looks like it might be two queries stuck together.</P> <P>BTW, for better performance, use <CODE>stats dc(host)</CODE> instead of <CODE>dedup host | stats count</CODE>.</P> Tue, 10 Apr 2018 13:47:01 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318995#M59604 richgalloway 2018-04-10T13:47:01Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318996#M59605 <P>ok thanks</P> Tue, 10 Apr 2018 16:19:58 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318996#M59605 jip31 2018-04-10T16:19:58Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318997#M59606 <P>no sorry...</P> Tue, 10 Apr 2018 16:21:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318997#M59606 jip31 2018-04-10T16:21:53Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318998#M59607 <P>NOBODY FOR HELPING ME??</P> Wed, 11 Apr 2018 05:20:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318998#M59607 jip31jip31 2018-04-11T05:20:10Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318999#M59608 <P>Your query is difficult to understand. It looks like it might be two or three searches run together. Can you please edit the question?</P> Wed, 11 Apr 2018 13:41:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/318999#M59608 richgalloway 2018-04-11T13:41:15Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/319000#M59609 <P>HI</P> <P>sorry the exact request is :<BR /> index="wineventlog" sourcetype="wineventlog:<EM>" SourceName="</EM>" Type="Critique" OR Type="Avertissement" | dedup host | stats count | rename count AS "Number of machines" | eventstats sum(count) as Total | eval percent=round((count/Total)*100,1) | eval host=host."(count: ".count.", percent: ".percent.")" | fields - count</P> Thu, 12 Apr 2018 03:20:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/319000#M59609 jip31 2018-04-12T03:20:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/319001#M59610 <P>We formatted your code so it was easier to see the three queries. However, they were identical. Please update to add the second query.</P> Thu, 12 Apr 2018 04:12:41 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-agregate-data-from-different-sourcetypes/m-p/319001#M59610 DalJeanis 2018-04-12T04:12:41Z