- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- count entries used in two sources
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've two sources with a Name-Town-Phone list. Now I like to count the entries mentioned in both sources.
For example: Tom and Ben are mentioned in source I and II so I like the result count(mentioned_in_both)=>2
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do something like this
index=<your_index> source=source1 OR source=source2 | stats count by source | where count>=2
If you have both the sources in different indexes then write index=index1 OR index=index2 instead of index=<your_index>
Let me know if this helps !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu would need to share your current queries using which you can search both source individually to get better answer. With information available, you can do like (assuming there are common fields between them):
(base search source1) OR (base search source2)
| stats count dc(source) as sources by Name Town Phone
| where sources=2 AND count>=2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no table/statistic available.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can do something like this
index=<your_index> source=source1 OR source=source2 | stats count by source | where count>=2
If you have both the sources in different indexes then write index=index1 OR index=index2 instead of index=<your_index>
Let me know if this helps !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey, this isn't a useful solution. I need a number of entries which are in BOTH sources.
e.g. Tom and Ben are in both lists, so I need the result 2.
(The index is the same)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=<your_index> source=source1 OR source=source2 | stats dc(source) as source_count by <common_field> | where source_count=2
This will give you all the values in the common_field those are present in both the sources/lists.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index= source=source1 OR source=source2 | stats dc(source) as source_count by | where source_count=2 | stats count by ...
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Append the two sets of data and then use eventstats to count occurrences, then filter for count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is assuming the data is in lookups (since you're referring to "list"). If the data is in an index, write a search that returns data from both sets (as explained in the answers of somesoni2 and mayurr98 and then again count occurrences.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
