Archive

Can you help me with table results from 2 different indexes?

jip31
Builder

Hi,

I use the 2 query below.

When I execute each one, I have results but when I execute the query together, I have no results

index="-fr" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space"  OR   index="ai-wkst-windows-fr" sourcetype=WinHostMon source=disk Name="C:" TotalSpaceKB | table counter TotalSpaceKB

Could you help me please??

Tags (1)
0 Karma
1 Solution

whrg
Motivator

Hello @jip31,

Please note that the AND operator has a higher precedence than the OR operator.

You query above is basically the same as this:

index="-fr" AND sourcetype="perfmon:logicaldisk" AND instance="C:" AND (counter="% Free Space" OR index="ai-wkst-windows-fr") AND sourcetype=WinHostMon AND source=disk AND Name="C:" TotalSpaceKB
| table counter TotalSpaceKB

Try it like this instead:

(index="-fr" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="ai-wkst-windows-fr" sourcetype=WinHostMon source=disk Name="C:" TotalSpaceKB)
| table counter TotalSpaceKB

I'm assuming both queries have the fields counter and TotalSpaceKB.

View solution in original post

0 Karma

whrg
Motivator

Hello @jip31,

Please note that the AND operator has a higher precedence than the OR operator.

You query above is basically the same as this:

index="-fr" AND sourcetype="perfmon:logicaldisk" AND instance="C:" AND (counter="% Free Space" OR index="ai-wkst-windows-fr") AND sourcetype=WinHostMon AND source=disk AND Name="C:" TotalSpaceKB
| table counter TotalSpaceKB

Try it like this instead:

(index="-fr" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="ai-wkst-windows-fr" sourcetype=WinHostMon source=disk Name="C:" TotalSpaceKB)
| table counter TotalSpaceKB

I'm assuming both queries have the fields counter and TotalSpaceKB.

View solution in original post

0 Karma

jip31
Builder

i have made a mistake in one query
the field i need is Value instead counter
but when i done this I have the same problem, I obtain only the TotalSpaceKB but the field value is empty.....

(index="perfmon-fr" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="windows-fr" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
| table Value TotalSpaceKB

0 Karma

jip31
Builder

with this it works
(index="perfmon-fr" sourcetype="perfmon:logicaldisk" instance="C:" counter="% Free Space") OR (index="windows-fr" sourcetype=WinHostMon Type=disk Name="C:" TotalSpaceKB)
| stats latest(Value) as Value latest(TotalSpaceKB) as TotalSpaceKB by host

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!