topic Re: How to count field values from two indexes and plot this on a graph? in Splunk Search

How to count field values from two indexes and plot this on a graph?

tp92222 — Thu, 03 Mar 2016 11:13:51 GMT

I have 2 indexes: index=report and index=fixed

Both have the same field ticket. When a ticket is reported, it goes in both indexes, but when that ticket is resolved, it just gets removed from fixed index.

Now I wanted to compare how many tickets where there before January and how many are still remaining and plot them on a graph.

Example

index=report contains:
ticket
1
2
3
4
5

index=fixed contains:
ticket
1
4
5

It should give output as:

total count=5
remain=3

and plot this on a graph.

Re: How to count field values from two indexes and plot this on a graph?

gyslainlatsa — Thu, 03 Mar 2016 11:30:40 GMT

hi tp92222,

i don't understand very well your problem, explain your problem in a simple way and tell us exactly what you want.

cordially

Re: How to count field values from two indexes and plot this on a graph?

chimell — Thu, 03 Mar 2016 12:18:00 GMT

Hi
try this

index=report |stats count(ticket) as total_count |appendcols[search index=fixed |stats count(ticket) as remain]

in visualisation tab choose for example Bar chart

Re: How to count field values from two indexes and plot this on a graph?

fdi01 — Thu, 03 Mar 2016 12:27:48 GMT

try like :

 (index=report) OR(index=fixed) |stats count as total_count by  index

Re: How to count field values from two indexes and plot this on a graph?

woodcock — Fri, 04 Mar 2016 00:23:46 GMT

Try this base search:

index=report OR index=fixed | stats dc(index) AS Indices values(*) AS * by index

From there you can add any where indices ... clause that you like followed by another stats (or eventstats) clause to wrap it up.