https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553594#M157176 <P>It works by changing "by _time,index" to "by index,_time"!</P><P>Thank you so much</P> Fri, 28 May 2021 21:51:13 GMT vl951f 2021-05-28T21:51:13Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553421#M157132 <P>I have the search to get max number of hours without events for feeds.</P><P>It works just for one index. It wouldn't work with more than one index. How can I get it work for multiple indexes?</P><P>index=feed1 OR index=feed2<BR />| bucket _time span=1h<BR />| stats count as event_count by _time, index<BR />| search event_count!=0<BR />| delta _time as mydelta<BR />| eval number_of_zeros=floor(mydelta/3600)-1<BR />| stats max(number_of_zeros) by index</P> Thu, 27 May 2021 23:05:56 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553421#M157132 vl951f 2021-05-27T23:05:56Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553425#M157135 <P>"It wouldn't work" is not a problem description.&nbsp; Your query works for me (using my own index names).&nbsp; Well, it produces output, anyway.&nbsp; I can't say if it truly works since you don't say what it's supposed to do.</P><P>What results do you get and what results do you expect?</P> Fri, 28 May 2021 00:17:20 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553425#M157135 richgalloway 2021-05-28T00:17:20Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553445#M157141 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233940">@vl951f</a>,</P><P>are you sure that the field name is always the same in all indexes (upper and lowercase)?</P><P>If not, you have to add a command to your search:</P><LI-CODE lang="markup">index=feed1 OR index=feed2 | eval event_count=coalesce(event_count1, event_count2) | bucket _time span=1h | stats count as event_count by _time, index | search event_count!=0 | delta _time as mydelta | eval number_of_zeros=floor(mydelta/3600)-1 | stats max(number_of_zeros) by index</LI-CODE><P>Please, when you insert code in your comments, please use the Insert/Edit code sample Button (&lt;/&gt;).</P><P>Ciao.</P><P>Giuseppe</P> Fri, 28 May 2021 06:19:38 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553445#M157141 gcusello 2021-05-28T06:19:38Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553576#M157169 <P>Hi,</P><P>I'm trying to get the max number of hours with no events for the indexes.</P><P>It works when I did it for one index.</P><P>index=feed1<BR />Result:<BR />index max(number_of_zeros)<BR />feed1 6</P><P>index=feed2<BR />Result:<BR />index max(number_of_zeros)<BR />feed2 4</P><P>But got wrong results for more than one index:</P><P>index=feed1 OR index=feed2<BR />Result:<BR />index max(number_of_zeros)<BR />feed1 1<BR />feed2 2</P> Fri, 28 May 2021 19:07:43 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553576#M157169 vl951f 2021-05-28T19:07:43Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553580#M157170 <P>I'm just counting the number of event for each hour for the index.</P><P>| bucket _time span=1h<BR />| stats count as event_count by _time, index</P><P>It didn't use any other field names.</P> Fri, 28 May 2021 19:10:42 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553580#M157170 vl951f 2021-05-28T19:10:42Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553592#M157175 <P>When you are calculating delta there are different events which it's use based on one index or several. For that reason the delta between those events are different. You could get better result if you change in stats by to index, _time instead of _time, index (but it's not works 100% of time still, if will be broken when index changes from one to another). I afraid that you need to reformulate this query to get correct answer for several indexes.</P><P>You can check the events by commenting out the last stats statement and try to figure out the correct answer.</P><P>r. Ismo</P> Fri, 28 May 2021 21:42:11 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553592#M157175 isoutamo 2021-05-28T21:42:11Z https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553594#M157176 <P>It works by changing "by _time,index" to "by index,_time"!</P><P>Thank you so much</P> Fri, 28 May 2021 21:51:13 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-get-the-search-work-with-multiple-indexes/m-p/553594#M157176 vl951f 2021-05-28T21:51:13Z