topic Re: How to perform stats count on all three indexes, and combine them to show as a Timechart? in Splunk Search

How to perform stats count on all three indexes, and combine them to show as a Timechart?

kapilbk1996 — Tue, 29 Sep 2020 19:37:17 GMT

I have log file say A,B,C and their corresponding index is say index_A,index_B,index_C.
I want to perform stats count on all three indexes, and combine them to show as Timechart. I used the following query.

index="index_A"
"[ERROR]" | timechart count as
temp1 | appendcols [search index
= "index_B" | timechart count as temp2 ] |
appendcols [search index =
"index_C" | timechart
count as temp3]

This query is giving me correct result. The TImechart is shown above.
The issue is when I click on the Timechart to get the corresponding events for corresponding index, it always shows me the events of index_A only (even if I choose index_B or index_C).
This is because I had mentioned index_A at the starting of search query.

What changes do I need to make so that if I click on index other then index_A, I'll get the corresponding events?

Re: How to perform stats count on all three indexes, and combine them to show as a Timechart?

niketn — Thu, 24 May 2018 06:20:29 GMT

@kapilbk1996, While using subsearches default drilldown will be limited to your main search. Following are your couple of options.

Option 1: Keep a single base search for various indexes:

(index="index_A" AND "[ERROR]") OR (index="index_B") OR (index="index_C") 
| timechart count by index 
| rename index_A as temp1 
| rename index_B as temp2 
| rename index_C as temp3

Option 2: Create your own drilldown using predefined drilldown tokens: https://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro

Re: How to perform stats count on all three indexes, and combine them to show as a Timechart?

kapilbk1996 — Thu, 24 May 2018 06:43:55 GMT

@ niketnilay thank you for quick response.
option 1 solved my issue.