topic Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later? in Splunk Search

How Can I Save Three Count Searches Separated And Then Use Them Together Later?

vtsguerrero — Thu, 09 Oct 2014 17:56:20 GMT

I have some conditions for each search as follows:

Search A

index=users Channel=40 
| eval Token = User."-".Channel
| stats count by Token

Search B

index=mobile Code=5 OR Code=3 AND Mobile=1 OR Mobile=2
| stats count by Connection

Search C

index=mobile Code=5 OR Code=3 AND Mobile=5 OR Mobile=3 channel=*
| eval Token = user."-".channel
| stats count by Token

Should I save those counts separated? How can I do that...
My main table should show:

Search A count
Search B count
Search C count
Search A + Search B count
Search A + Search C count
Search B + Search C count
Search A + Search B + Search C count

It's like 3 queries inside one main query, but counts are different...
Note that in Search A Channel has an Upper case and in Search C it's lower case...

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

vtsguerrero — Thu, 09 Oct 2014 19:30:13 GMT

I have three searches and two indexes, is it possible, to make a dashboard that counts groupped stats over them?

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

tom_frotscher — Fri, 10 Oct 2014 08:03:17 GMT

Have you tried using subsearches and the append or appendcols searchcommand?

Appendcols

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

yannK — Fri, 10 Oct 2014 15:10:27 GMT

another approach is to run 3 searches and to save the results with a summary indexing or an outputlookup command.
then run a 4rd search retrieving the results from each of them (summary search, or inputlookup with appendcols/append)
Do not forget to add an extra column to your results for the value A/B/C to distinguish them

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

vtsguerrero — Fri, 10 Oct 2014 17:35:02 GMT

Got it, still don't know how to do it altough...
I can't do it via LookUp cuz of data amount is too high...
How would I create this new index mixing variables?
For example, I have Channel in index=A and ch in index=B, both acctually represent the same field same values but different indexes...
Sorry, I never used a subquery or saved search, how should I do that? Do I need to upload a new file or I use all searches in the same place?
Thanks in advance @yannK

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

yannK — Fri, 10 Oct 2014 17:49:45 GMT

Here are the docs for subsearches
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Usesubsearchtocorrelateevents
Remember that they are limited to 10000 lines of result.

and for the lookups as a temporary storage
http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Outputlookup
http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Inputlookup

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

vtsguerrero — Fri, 10 Oct 2014 18:58:53 GMT

How can I make this subsearch test work?
I wanna make these fields the same or table'em together to start...

index="mobile" channel=* account=* 
[search index="main" Channel=* Account=*]
| table channel account Channel Account

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

vtsguerrero — Fri, 10 Oct 2014 19:46:45 GMT

Should I use a kind of JOIN for this operation? Or do you think it's possible to make the whole search for all indexes just using subsearches?
I think a lookup for this search won't be possible cuz of the amount of data...
But, after I create a new index, summarized based on two indexes, how do I fill what data I want inside this new index coming from other previous two indexes...

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

yannK — Fri, 10 Oct 2014 20:19:34 GMT

Not really, to append a sub search use

 index="mobile" channel=* account=* 
| append [search index="main" Channel=* Account=*]
| table channel account Channel Account

If you want to group with a join on the channel and account

 index="mobile" channel=* account=* 
| join Channel Account [search index="main" Channel=* Account=* ]
| table channel account Channel Account

Remember the 10000 limit, a better solution is to do the stats in the subsearch before

But If all that you want is to get all the results in a single search, try

( index="mobile" channel=* account=* ) OR ( index="main" Channel=* Account=*) | stats count by Token index

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

vtsguerrero — Mon, 13 Oct 2014 12:28:57 GMT

But In this case, will channel and account fields work as the same fields for both indexes? Considering that one is Uppercase and the other one is Lowercase, I should convert'em into a new field for a new index for example?
Thanks for the explanation @yannK

Re: How Can I Save Three Count Searches Separated And Then Use Them Together Later?

yannK — Mon, 13 Oct 2014 16:24:17 GMT

Yes, the field names are case sensitive.
So you could rename them and maybe add a detail on the origin, or normalize them and made the sum

 index="mobile" channel=* account=* | eval Channel_Mobile=channel | eval Account_Mobile=account 
 | append [search index="main" Channel=* Account=* | eval Channel_Main=Channel | eval Account_Main=Account ]
 | table Channel* Account*