topic Re: Need help with a splunk search with appendcols in Splunk Search

Need help with a splunk search with appendcols

phularah — Thu, 07 Sep 2023 15:02:48 GMT

I am trying to get data from 2 indexes and combine them via appendcols.

The search is

index="anon" sourcetype="test1" localDn=*aaa*
| fillnull release_resp_succ update_resp_succ release_req update_req n40_msg_written_to_disk create_req value=0
| eval Number_of_expected_CDRs = release_req+update_req
| eval Succ_CDRs=release_resp_succ+update_resp_succ
| eval Missing_CDRs=Number_of_expected_CDRs-Succ_CDRs-n40_msg_written_to_disk
| timechart span=1h sum(Number_of_expected_CDRs) as Expected_CDRs sum(Succ_CDRs) as Successful_CDRs sum(Missing_CDRs) as Missing_CDRs sum(n40_msg_written_to_disk) as Written sum(create_req) as Create_Request
| eval Missed_CDRs_%=round((Missing_CDRs/Expected_CDRs)*100,2)
| eval Missed_CDRs_%=round((Missing_CDRs/Expected_CDRs)*100,2)
| table *
| appendcols [| search index=summary source="abc1" OR source="abc2"
| timechart span=1h sum(xyz) as Counter
| table Counter]

But, I am getting output from just the first search. The appendcols search is just not giving the Counter field in the output.

Re: Need help with a splunk search with appendcols

ITWhisperer — Thu, 07 Sep 2023 16:03:36 GMT

There doesn't appear to be anything wrong with the search as you have presented it - are you certain you have results from the subsearch

index=summary source="abc1" OR source="abc2" | timechart span=1h sum(xyz) as Counter | table Counter

Re: Need help with a splunk search with appendcols

phularah — Thu, 07 Sep 2023 16:51:49 GMT

Yes, I have results from both the subsearches. But, still I don't see Counter in the results which is weird.

Re: Need help with a splunk search with appendcols

ITWhisperer — Thu, 07 Sep 2023 16:59:55 GMT

Subsearches are limited to 50,000 events - could this be the reason your subsearch is not showing any results?

Have you tried a shorter timeframe, or tried fragmenting your subsearch in some way, e.g. splitting by source?

Re: Need help with a splunk search with appendcols

phularah — Thu, 07 Sep 2023 17:02:58 GMT

The results have less than 10000 events in both the subsearches.

I have off of my system now, but I will try multisearch tomorrow. Let's see if it works.

Re: Need help with a splunk search with appendcols

ITWhisperer — Thu, 07 Sep 2023 17:40:09 GMT

It is not the number of results that matter, it is the number of events returned by the first part of the search that you need to check

index=summary source="abc1" OR source="abc2"