Hello,
I have searched around, but I haven't found an example that has shown me the way.
What I am trying to do is a search on one location, and compare the stats with another location.
Here are the two searches:
host="server01" OR host="server03" source="/opt/httpd/logs/access_log" | stats count by status | rename count AS countA
and
host="server13" OR host="server14" source="/data/logs/apache/access_log" | stats count by status | rename count AS countB
I would like to output this information to a csv file that would look like this, using the static error code as one column, and then the variables countA and countB:
status,countA,countB
200,563805,6345
206,10,1345
301,33529,345
302,84470,673468
304,1747,46
400,42,23
403,36,346
404,25,46
500,29,45
502,2,345
The best that I was able to do was to get them all into the file, with duplicate entries for the status codes...
Any ideas?
OK - this post helped me.
http://splunk-base.splunk.com/answers/51740/comparing-results-from-two-searches/62359
I was able to use this search to obtain the result I wanted. It takes about 45s to run though, so if anyone has a better idea, I am all ears!
host="server01" OR host="server03" source="/opt/httpd/logs/access_log" | stats count by status | rename count AS countA | appendcols [ search ( host="server13" OR host="server14" source="/data/logs/apache/access_log" )| stats count by status | rename count AS countB ] | outputcsv combinedstats.csv
OK - this post helped me.
http://splunk-base.splunk.com/answers/51740/comparing-results-from-two-searches/62359
I was able to use this search to obtain the result I wanted. It takes about 45s to run though, so if anyone has a better idea, I am all ears!
host="server01" OR host="server03" source="/opt/httpd/logs/access_log" | stats count by status | rename count AS countA | appendcols [ search ( host="server13" OR host="server14" source="/data/logs/apache/access_log" )| stats count by status | rename count AS countB ] | outputcsv combinedstats.csv
Since they are over the same time range, append would work. If you find there are more than 1 value for each status and count (ex. 13 and 402 for countA with status 500) you can replace values() with max() or latest().
host="server01" OR host="server03" source="/opt/httpd/logs/access_log" | stats count by status | rename count AS countA | append[ search host="server13" OR host="server14" source="/data/logs/apache/access_log" | stats count by status | rename count AS countB ] | stats values(countA) as countA values(countB) as countB by status
Thanks! This does work too! I will compare the two searches to see if there are any differences!