https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451532#M127865 <P>My data is from the same source but I would like to count the number of times a host appears on the event based on two fields criteria. How can I do that without hitting search limit?</P> <PRE><CODE>index=my_index source=my_source (source_host=remote* OR dest_host=remote*) | eval name=coalesce(source_host,dest_host) | stats count by name </CODE></PRE> <P>Thank you very much!</P> Thu, 09 May 2019 05:21:53 GMT alc2019 2019-05-09T05:21:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451532#M127865 <P>My data is from the same source but I would like to count the number of times a host appears on the event based on two fields criteria. How can I do that without hitting search limit?</P> <PRE><CODE>index=my_index source=my_source (source_host=remote* OR dest_host=remote*) | eval name=coalesce(source_host,dest_host) | stats count by name </CODE></PRE> <P>Thank you very much!</P> Thu, 09 May 2019 05:21:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451532#M127865 alc2019 2019-05-09T05:21:53Z https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451533#M127866 <P>The above search seems to be good. it should be constrained by limits.conf only<BR /> What type of limit you hitting?</P> Thu, 09 May 2019 05:46:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451533#M127866 koshyk 2019-05-09T05:46:24Z https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451534#M127867 <P>I was trying to apply the answer from this good post, but I cannot make it work.</P> <P>The coalesce results only one side. I want to count each time a host appears on either source_host or destination_host. </P> <P><A href="https://answers.splunk.com/answers/524250/how-to-search-for-matches-in-two-different-searche.html" target="_blank">https://answers.splunk.com/answers/524250/how-to-search-for-matches-in-two-different-searche.html</A></P> <P><A href="https://answers.splunk.com/answers/524250/how-to-search-for-matches-in-two-different-searche.html" target="_blank">link text</A></P> Wed, 30 Sep 2020 00:28:03 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451534#M127867 alc2019 2020-09-30T00:28:03Z https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451535#M127868 <P>Try this:</P> <PRE><CODE>index=my_index source=my_source (source_host=remote* OR dest_host=remote*) | multireport [ stats count by source_host] [ stats count by dest_host ] | eval name=coalesce(source_host,dest_host) | fields - *_host </CODE></PRE> Fri, 10 May 2019 18:43:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451535#M127868 woodcock 2019-05-10T18:43:47Z https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451536#M127869 <P>minor amendments <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> <PRE><CODE> index=my_index source=my_source (source_host=remote* OR dest_host=remote*) | multireport [ stats count by source_host] [ stats count by dest_host ] | eval name=coalesce(source_host,dest_host) | fields - *_host | stats sum(count) as count by name </CODE></PRE> Fri, 10 May 2019 19:00:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451536#M127869 sumanssah 2019-05-10T19:00:00Z https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451537#M127870 <P>I agree. Missed it by <CODE>&gt;that&lt;</CODE> much.</P> Fri, 10 May 2019 19:44:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451537#M127870 woodcock 2019-05-10T19:44:29Z https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451538#M127871 <P>Except you don't need the <CODE>fields - *_host</CODE> in that case.</P> Fri, 10 May 2019 19:45:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-coalesce-without-hitting-search-limit/m-p/451538#M127871 woodcock 2019-05-10T19:45:10Z