Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to join two search with event count?

Vasu1
Explorer
‎08-22-2022 11:35 PM

I want to create an alert if any of the files are missing, a description printout for that. But this search only gives me one event although it should give me two. In a nutshell, the second part after append is not working. Individual search work.  Please guide. It would be greatly appreciated. 

 

 

index = axway abc@gmail.com *INCL* | stats count by host | where count = 0
| eval description="File1 INCL Missing"
|table description | append [search index = axway abc@gmail.com *POD* | stats count | where count = 0
| eval description="File2 POD Missing"
|table description]

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2022 01:05 PM

It is working for me as is (Splunk v8.2.4)

Screen Shot 2022-08-23 at 4.04.02 PM.png

View solution in original post

Reply
Solved! Jump to solution

Vasu1
Explorer
‎08-29-2022 09:34 AM

I need to add another part before this search to make it work, but it works the way I want. Thanks for the response guys. 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 12:17 AM

Your search makes no sense, you cannot do

index = axway abc@gmail.com *INCL* 
| stats count by host 
| where count = 0

as this will always give you 0 results. Think about it - if you have 100 events for 2 hosts A and B then count by host will give you a count for hosts A and B. It can never give you a count for host C which has no data, so you can never get 0 for host C

If you are trying to find out if, for hosts A, B and C whether there is an event, then you need to have all your expected hosts in a lookup file and do something like

index = axway abc@gmail.com *INCL* 
| stats count by host 
| inputlookup append=t my_list_of_hosts
| stats values(count) as count by host
| fillnull count value=0
| where count = 0 
| eval description="File1 INCL Missing" 
| table description

this will prove the negative for the first check. Then you can do this for the second one - but you could also combine this to a single search if the hosts are the same.

Hope this helps.

 

0 Karma
Reply
Solved! Jump to solution

Vasu1
Explorer
‎08-23-2022 12:33 PM 
index = axway abc@gmail.com *INCL* | stats count | where count = 0
| eval description="File1 INCL Missing"
|table description | append [search index = axway abc@gmail.com *POD* | stats count | where count = 0
| eval description="File2 POD Missing"
|table description]

Very much appreciate your reply. It should not be counted by the host. I apologize for that. Above is the search I am trying to search. All I am trying to do is combine search to alert us if any of the POD and INCL file is missing, and print the description for that search. 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-23-2022 03:17 PM

Odd, it should work. If you run this

index = axway abc@gmail.com *INCL* 
| stats count 
| eval description="File1 INCL Missing"
| append [
  search index = axway abc@gmail.com *POD* 
  | stats count 
  | eval description="File2 POD Missing"
]

does it show you both rows with the count of results for each?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-23-2022 01:00 PM

Above search should be working. Is it not working for you?

Reply
Solved! Jump to solution

Vasu1
Explorer
‎08-23-2022 01:02 PM

Individual search work, but not combined. When I combined only the first one of the event pops up(first part of search), not the second. 

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-23-2022 01:05 PM

It is working for me as is (Splunk v8.2.4)

Screen Shot 2022-08-23 at 4.04.02 PM.png

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...