Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use a result from one query in the calculation of another?

cactus
Engager
‎02-22-2023 10:42 PM

I've got the following to calculate our quota:

index=summary source="splunk-storage-summary"| stats latest(activeStorageLicenseGB)

and the following to give a list of how much is in each of our indexes:

 

index=summary source="splunk-storage-detail"
|stats
latest(rawSizeGBCustomer) as "size"
by idxName
|sort -size
|fields idxName size

 

What I'd like to do is display 'size' in the second query as a percentage of our quota using the results of the first query. I can do it if I use a join and then eval, but is there a way to store the results of that first query in a variable I can then use in the second query? 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-23-2023 03:10 AM

Try something like this

index=summary source="splunk-storage-detail"
|stats
latest(rawSizeGBCustomer) as "size"
by idxName
|sort -size
|fields idxName size
| appendcols
  [search index=summary source="splunk-storage-summary"| stats latest(activeStorageLicenseGB) as activeStorageLicenseGB]
| eventstats values(activeStorageLicenseGB) as activeStorageLicenseGB

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-23-2023 03:10 AM

Try something like this

index=summary source="splunk-storage-detail"
|stats
latest(rawSizeGBCustomer) as "size"
by idxName
|sort -size
|fields idxName size
| appendcols
  [search index=summary source="splunk-storage-summary"| stats latest(activeStorageLicenseGB) as activeStorageLicenseGB]
| eventstats values(activeStorageLicenseGB) as activeStorageLicenseGB
0 Karma
Reply
Solved! Jump to solution

cactus
Engager
‎02-23-2023 03:45 PM

Thanks for the reply. I do prefer your appendcols to the join I was using, but I was more after saving the value of activeStorageLicenseGB as something I can use in calculations rather than populating a new column. I'm new to Splunk though, so I may well be thinking about this all wrong.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...