Solved: How to join two search with event count?

Vasu1 · ‎08-22-2022

I want to create an alert if any of the files are missing, a description printout for that. But this search only gives me one event although it should give me two. In a nutshell, the second part after append is not working. Individual search work. Please guide. It would be greatly appreciated.

index = axway abc@gmail.com *INCL* | stats count by host | where count = 0
| eval description="File1 INCL Missing"
|table description | append [search index = axway abc@gmail.com *POD* | stats count | where count = 0
| eval description="File2 POD Missing"
|table description]

somesoni2 · ‎08-23-2022

It is working for me as is (Splunk v8.2.4)

View solution in original post

Vasu1 · ‎08-29-2022

I need to add another part before this search to make it work, but it works the way I want. Thanks for the response guys.

bowesmana · ‎08-23-2022

Your search makes no sense, you cannot do

index = axway abc@gmail.com *INCL* 
| stats count by host 
| where count = 0

as this will always give you 0 results. Think about it - if you have 100 events for 2 hosts A and B then count by host will give you a count for hosts A and B. It can never give you a count for host C which has no data, so you can never get 0 for host C

If you are trying to find out if, for hosts A, B and C whether there is an event, then you need to have all your expected hosts in a lookup file and do something like

index = axway abc@gmail.com *INCL* 
| stats count by host 
| inputlookup append=t my_list_of_hosts
| stats values(count) as count by host
| fillnull count value=0
| where count = 0 
| eval description="File1 INCL Missing" 
| table description

this will prove the negative for the first check. Then you can do this for the second one - but you could also combine this to a single search if the hosts are the same.

Hope this helps.

Vasu1 · ‎08-23-2022

index = axway abc@gmail.com *INCL* | stats count | where count = 0
| eval description="File1 INCL Missing"
|table description | append [search index = axway abc@gmail.com *POD* | stats count | where count = 0
| eval description="File2 POD Missing"
|table description]

Very much appreciate your reply. It should not be counted by the host. I apologize for that. Above is the search I am trying to search. All I am trying to do is combine search to alert us if any of the POD and INCL file is missing, and print the description for that search.

bowesmana · ‎08-23-2022

Odd, it should work. If you run this

index = axway abc@gmail.com *INCL* 
| stats count 
| eval description="File1 INCL Missing"
| append [
  search index = axway abc@gmail.com *POD* 
  | stats count 
  | eval description="File2 POD Missing"
]

does it show you both rows with the count of results for each?

somesoni2 · ‎08-23-2022

Above search should be working. Is it not working for you?

Vasu1 · ‎08-23-2022

Individual search work, but not combined. When I combined only the first one of the event pops up(first part of search), not the second.

somesoni2 · ‎08-23-2022

It is working for me as is (Splunk v8.2.4)

How to join two search with event count?

alert action

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life