Solved: Combine and count results from two queries without...

Sakshi_Parashar · ‎10-21-2020

So, if I have an index=abc with fields a,b

Also, I have index=xyz with fields b,c

Now I want to count the results where a="foo", c="bar" and b from both indices are common. I want to do this without join because of the maxout limitation.

A sample query with join is:

index="abc" a="foo" | join type=inner b [search(index="xyz" c="bar")] | timechart span="1h" count as foobar

Can someone help with a query giving the same result without join?

Sakshi_Parashar · ‎10-25-2020

Found a working solution for the above problem,

(index="abc" a=”foo”) OR (index="xyz" c=”bar”) 
| bin span=1d _time 
| stats dc(index) as dcount by b,_time 
| where dcount>1 
| stats count as foobar by _time

View solution in original post

Sakshi_Parashar · ‎10-25-2020

Found a working solution for the above problem,

(index="abc" a=”foo”) OR (index="xyz" c=”bar”) 
| bin span=1d _time 
| stats dc(index) as dcount by b,_time 
| where dcount>1 
| stats count as foobar by _time

richgalloway · ‎10-21-2020

There's good talk on this subject at .conf20. Go to conf.splunk.com to check it out. In the meantime, try this query

(index="abc" a="foo") OR (index="xyz" c="bar")
| bin span=1h _time
| stats values(*) as * by b
| timechart span="1h" count as foobar

---
If this reply helps you, Karma would be appreciated.

Combine and count results from two queries without join command

count

join

stats

timechart

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)