https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488756#M136505 <P>Hi prsepulv,<BR /> let me understand, why don't you use a only one search with OR clause? in this way you haven't subsearches limit.</P> <PRE><CODE>(index=index1 sourcetype=source1) OR (index=index2 sourcetype=source2) OR (index=indexn sourcetype=sourcen) earliest=-30m latest=now() | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval value1=State_01*State_02* ... *StateNN </CODE></PRE> <P>Then you can calculate the things you want and display the values you like, e.g. if you want some Single Values panel that display the first value (or max or sum) for each index, you can run</P> <PRE><CODE>(index=index1 sourcetype=source1) OR (index=index2 sourcetype=source2) OR (index=indexn sourcetype=sourcen) earliest=-30m latest=now() | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval value=State_01*State_02* ... *StateNN | stats first(value) AS value BY index </CODE></PRE> <P>so you can display it in a panel or in multiple Single Panel using Trellis.</P> <P>Bye.<BR /> Giuseppe</P> Sun, 22 Sep 2019 09:24:01 GMT gcusello 2019-09-22T09:24:01Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488754#M136503 <P>I'm using a dashboard to display the state of some services. For this purpose, I must takes single values from many searches to obtain a final value, like value = valu1 * value2 * value3 ... valuen<BR /> The searches are like:</P> <P>Search1: </P> <PRE><CODE>search index=index1 sourcetype=source1 earliest=-30m latest=now() | head 1 | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval value1=State_01*State_02* ... *StateNN </CODE></PRE> <P>Search2: </P> <PRE><CODE>search index=index2 sourcetype=source2 earliest=-30m latest=now() | head 1 | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval value2=State_01*State_02* ... *StateNN </CODE></PRE> <P>SearchN: </P> <PRE><CODE>search index=indexN sourcetype=sourceN earliest=-30m latest=now() | head 1 | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval valueN=State_01*State_02* ... *StateNN </CODE></PRE> <P>and finally,</P> <PRE><CODE>| eval value=value1*value2*...*valueN </CODE></PRE> <P>Each search works fine separately, but not together. I was using join, like this:</P> <PRE><CODE>search index=index1 sourcetype=source1 earliest=-30m latest=now() | head 1 | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval value1=State_01*State_02* ... *StateNN | join value2 [ search index=index2 sourcetype=source2 earliest=-30m latest=now() | head 1 | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval value2=State_01*State_02* ... *StateNN ] | eval value=value1*valu2 </CODE></PRE> <P>And Splunk keeps telling me <STRONG>No results found</STRONG>. What I'm doing wrong?</P> <P>Regards, </P> <P>Pedro</P> Sat, 21 Sep 2019 16:55:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488754#M136503 prsepulv 2019-09-21T16:55:43Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488755#M136504 <P>Hi, </P> <P>Joins are used to join 2 different search with common variable . In this scenario value* is some thing you are calculating for each search . So you should use appendcols instead of join .</P> Sat, 21 Sep 2019 18:53:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488755#M136504 Anantha123 2019-09-21T18:53:07Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488756#M136505 <P>Hi prsepulv,<BR /> let me understand, why don't you use a only one search with OR clause? in this way you haven't subsearches limit.</P> <PRE><CODE>(index=index1 sourcetype=source1) OR (index=index2 sourcetype=source2) OR (index=indexn sourcetype=sourcen) earliest=-30m latest=now() | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval value1=State_01*State_02* ... *StateNN </CODE></PRE> <P>Then you can calculate the things you want and display the values you like, e.g. if you want some Single Values panel that display the first value (or max or sum) for each index, you can run</P> <PRE><CODE>(index=index1 sourcetype=source1) OR (index=index2 sourcetype=source2) OR (index=indexn sourcetype=sourcen) earliest=-30m latest=now() | rex field=_raw "State 1 (?&lt;State_01&gt;.),(?&lt;State_02&gt;.)...(?&lt;State_NN&gt;.)" | eval value=State_01*State_02* ... *StateNN | stats first(value) AS value BY index </CODE></PRE> <P>so you can display it in a panel or in multiple Single Panel using Trellis.</P> <P>Bye.<BR /> Giuseppe</P> Sun, 22 Sep 2019 09:24:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488756#M136505 gcusello 2019-09-22T09:24:01Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488757#M136506 <P>I'm trying to use appendcols, <STRONG>the problem is that values calculated inside subsearch aren't shared to main search</STRONG>. In each subsearch I find the last register and parse it with regex. And with the parsed data I calulate a single value. After that I would like to use that value on main search, with anothers values to calculate a main value.<BR /> The different subsearchs are absolutely independents between them and doesn't share none data. Also lenght of registers is differente in each subsearch.</P> <P>Regards</P> Mon, 23 Sep 2019 14:28:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488757#M136506 prsepulv 2019-09-23T14:28:53Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488758#M136507 <P>I tried to use it, however I calculate values from fields extracted with regex and apparently I can use only one <STRONG>rex field=_raw</STRONG> extraction by query. If I try to use a second regex extraction, the previous data, extracted and calculated, are gone. Also the records of each search have differents lenghts and don't have any relation between them.</P> Mon, 23 Sep 2019 15:42:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488758#M136507 prsepulv 2019-09-23T15:42:46Z https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488759#M136508 <P>I found an answer on this link <A href="https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html">https://answers.splunk.com/answers/240798/how-to-return-a-single-value-from-a-subsearch-into.html</A><BR /> It works, like a charm...</P> <P>Thank you very much to all.</P> <P>Regards</P> Mon, 23 Sep 2019 21:44:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-calculate-state-based-on-values-from-many-searches/m-p/488759#M136508 prsepulv 2019-09-23T21:44:45Z