Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine the count from 1 search to the result of another search

agolkar
Explorer
‎02-12-2019 12:44 PM

Hello everyone,

I have one search that is showing me a list of IP addresses of addresses. Lets call the field of IP addresses "Name":

  index="IP_list" sourcetype="sourcetype_IP_list" | table Name Location

I get the output of:

 Name                                 Location
---------------                 --------------------
192.168.1.3                       basement
192.168.1.5                       attic
192.168.1.8                       garage

I have another search that is showing me something about the servers if that server has more than 1 of that thing. In this search, the server IP is called "IP"
Here is an example:

index="server_info" thing>0 | stats count by IP

I get the output of:

IP                      count
--------------          -------------
192.168.1.3                 4
192.168.1.5                 8
192.168.1.8                 2

How could I combine these 2 searches to I get a table that shows the IP (Name), location, and the count?

0 Karma
Reply

Vijeta
Influencer
‎02-12-2019 02:04 PM

Try this -

index="IP_list" sourcetype="sourcetype_IP_list" | stats values(Location)  as Location by Name |join Name[search index="server_info" thing>0 | stats count by IP| rename IP as Name]
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-12-2019 01:06 PM

Try this

index="IP_list" sourcetype="sourcetype_IP_list" 
| eval IP = Name
| fields IP Location 
| append [ search index="server_info" thing > 0 | stats count by IP]
| stats latest(count) as count values(Location) by IP

Hope this helps!

Reply

agolkar
Explorer
‎02-12-2019 01:20 PM

I feel like its so close! Its getting me the right columns but the count field is empty for every IP.....

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-12-2019 01:26 PM

Does this search work correctly search index="server_info" thing > 0 | stats count by IP ?

Secondly, what happens if you try changing the last line to this: | stats values(count) as count values(Location) by IP

Reply

agolkar
Explorer
‎02-12-2019 01:35 PM 
search index="server_info" thing > 0 | stats count by IP

Does work.

Changing the last line worked! I now see the correct counts! However I noticed one weird thing. If I add the location to the first line of the search ex:
index="IP_list" sourcetype="sourcetype_IP_list" Location="basement"

It still shows all results/counts but leaves the location of other places empty and just shows the location for servers located in "basement" any ideas on how to fix this? Thank you for the help.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...