https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74258#M18695 <P>What's the best way to retrieve stats from multiple reports in the summary index? We have a remote client that will use the REST API to run a search that should return 4 data points, each of which is a value calculated from a different report in our summary index. I thought we could use repeated "| search" commands but either I have the syntax incorrect or it isn't supported. As an example of the type of data being accessed:</P> <P>index=summary report=unique_clients : contains Unique_Clients field which is #unique clients over time</P> <P>index=summary report=4xx_errors : contains Num_Errors field which is # of 4* errors over time</P> <P>I would like to run one search that combines the results of searches similar to the following:</P> <PRE><CODE>index=summary report=unique_clients | stats sum(Unique_Clients) ... index=summary report=4xx_errors | stats sum(NumErrors) ... </CODE></PRE> <P>I want to return all 4 data points in one call to save on network overhead and also provide the data in a form useful to the remote client; it's silly to have them make 4 separate calls, and worse when we eventually need to return even more distinct data points to the remote clients. Thanks for any pointers,</P> <P>Tom</P> Tue, 05 Apr 2011 03:51:12 GMT beaumaris 2011-04-05T03:51:12Z https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74258#M18695 <P>What's the best way to retrieve stats from multiple reports in the summary index? We have a remote client that will use the REST API to run a search that should return 4 data points, each of which is a value calculated from a different report in our summary index. I thought we could use repeated "| search" commands but either I have the syntax incorrect or it isn't supported. As an example of the type of data being accessed:</P> <P>index=summary report=unique_clients : contains Unique_Clients field which is #unique clients over time</P> <P>index=summary report=4xx_errors : contains Num_Errors field which is # of 4* errors over time</P> <P>I would like to run one search that combines the results of searches similar to the following:</P> <PRE><CODE>index=summary report=unique_clients | stats sum(Unique_Clients) ... index=summary report=4xx_errors | stats sum(NumErrors) ... </CODE></PRE> <P>I want to return all 4 data points in one call to save on network overhead and also provide the data in a form useful to the remote client; it's silly to have them make 4 separate calls, and worse when we eventually need to return even more distinct data points to the remote clients. Thanks for any pointers,</P> <P>Tom</P> Tue, 05 Apr 2011 03:51:12 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74258#M18695 beaumaris 2011-04-05T03:51:12Z https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74259#M18696 <P>This would probably be done easiest w/ the 'append' search command like so:</P> <PRE><CODE>index=summary report=unique_clients | stats sum(Unique_Clients) ... | append[search index=summary report=4xx_errors | stats sum(NumErrors) ...] </CODE></PRE> <P>The only problem I forsee is figuring which rows should have values for which columns. It may be simple enough to ignore null column values for a given row.</P> Tue, 05 Apr 2011 04:48:50 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74259#M18696 hazekamp 2011-04-05T04:48:50Z https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74260#M18697 <P>Why not keep it simple?</P> <PRE><CODE>index=summary report=unique_clients OR report=4xx_errors | stats sum(Unique_Clients) as uc_sum sum(NumErrors) as ne_sum </CODE></PRE> Tue, 05 Apr 2011 04:56:10 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74260#M18697 araitz 2011-04-05T04:56:10Z https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74261#M18698 <P>This should work as well as long as you don't have different split-by fields.</P> Tue, 05 Apr 2011 07:07:42 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74261#M18698 hazekamp 2011-04-05T07:07:42Z https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74262#M18699 <P>a little bit of eval field1=if(isnull(field1),field2,field1) can go a long way to normalize different field spaces.</P> Tue, 05 Apr 2011 13:23:10 GMT https://community.splunk.com/t5/Splunk-Search/Retrieving-stats-from-multiple-summary-reports/m-p/74262#M18699 sideview 2011-04-05T13:23:10Z