Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use stat with two different Index with different fields name to define

jaciro11
Path Finder
‎06-12-2020 08:44 AM

Hello Splunk TEAM,

I have a problem with my search because I use to different index and the data which I want to compare when I want to define by a field is different for example.

I have two Index 


in one I have ContactByName and in the other index I have PerformedByName.
I the two fields I have the same data but when I want to compare the data in that information I cant.
I try to rename ContactByName as PerformedByName to do my search again but is not a good idea. 

I have this Right now: 


(index="inlooxtt" StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* CreatedDate>2020-05-30 ProjectName!="Capac* General" ProjectName!="Preventas*") OR (index="inlooxtasks" ProjectStatusName!=Completed ProjectStatusName!=Cancelled ContactDisplayName!=Donado* ContactDisplayName!="null" ProjectName!="Capac* General" ProjectName!="Preventas*")
| rename ContactDisplayName as PerformedByname
| eval Tiempo_Ejecutado=(DurationMinutes/60), Tiempo_Planeado=WorkAmount
| stats dedup_splitvals=true sum(Tiempo_Ejecutado) as Tiempo_Ejecutado, sum(Tiempo_Planeado) as Tiempo_Planeado by PerformedByname

But I have this: 

Lost.png
The Tiempo_Ejecutado didnt appear 😞 

Thanks all

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2020 08:55 AM

Try using coalesce in place of rename.

(index="inlooxtt" StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* CreatedDate>2020-05-30 ProjectName!="Capac* General" ProjectName!="Preventas*") OR (index="inlooxtasks" ProjectStatusName!=Completed ProjectStatusName!=Cancelled ContactDisplayName!=Donado* ContactDisplayName!="null" ProjectName!="Capac* General" ProjectName!="Preventas*")
| eval PerformedBy = coalesce( ContactDisplayName, PerformedByname)
| eval Tiempo_Ejecutado=(DurationMinutes/60), Tiempo_Planeado=WorkAmount
| stats dedup_splitvals=true sum(Tiempo_Ejecutado) as Tiempo_Ejecutado, sum(Tiempo_Planeado) as Tiempo_Planeado by PerformedBy

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2020 08:55 AM

Try using coalesce in place of rename.

(index="inlooxtt" StatusName!=Completed StatusName!=Cancelled PerformedByName!=Donado* CreatedDate>2020-05-30 ProjectName!="Capac* General" ProjectName!="Preventas*") OR (index="inlooxtasks" ProjectStatusName!=Completed ProjectStatusName!=Cancelled ContactDisplayName!=Donado* ContactDisplayName!="null" ProjectName!="Capac* General" ProjectName!="Preventas*")
| eval PerformedBy = coalesce( ContactDisplayName, PerformedByname)
| eval Tiempo_Ejecutado=(DurationMinutes/60), Tiempo_Planeado=WorkAmount
| stats dedup_splitvals=true sum(Tiempo_Ejecutado) as Tiempo_Ejecutado, sum(Tiempo_Planeado) as Tiempo_Planeado by PerformedBy

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jaciro11
Path Finder
‎06-12-2020 09:45 AM

Hello @richgalloway 

It Working!!! Thanks you !!!!!!!

😁

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...