Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining and summing the results of two searches

rajadatta
New Member
‎06-15-2015 05:05 PM

Hi -

I have two searches that have the same fields exactly but from different sources.

I would like to join and sum the results and output

The searches:
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-retryfailed.log" mailingclass="smtpvhost1.yp.com"|stats count as NumberFailed by MailingId,Bouncetype

MailingId, Bouncetype, NumberFailed
12121,2004,2
12058,3004,4

index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" mailingclass="smtpvhost1.yp.com" |stats count as NumberFailed by MailingId,Bouncetype

MailingId, Bouncetype, NumberFailed
12121,2004,4
12058,3004,6

They return exactly as you see the same columns, I want combine(Sum) the results and output:

MailingId, Bouncetype, NumberFailed
12121,2004,6
12058,3004,10

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-15-2015 05:39 PM

Like this:

index="atti" sourcetype="strongmail" mailingclass="smtpvhost1.yp.com" (source="/data1/strongmail/log/strongmail-retryfailed.log" OR source="/data1/strongmail/log/strongmail-failed.log") |stats count as NumberFailed by MailingId,Bouncetype

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎06-16-2015 02:28 AM

Hi rajadatta
Try the following query :

    |set union [search index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-retryfailed.log" mailingclass="smtpvhost1.yp.com"|stats count as NumberFailed by MailingId,Bouncetype  ] [search index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" mailingclass="smtpvhost1.yp.com" |stats count as NumberFailed by MailingId,Bouncetype ]|stats sum(NumberFailed) as total_NumberFailed
0 Karma
Reply
Solved! Jump to solution

rajadatta
New Member
‎06-16-2015 10:44 AM

Thanks for the help. I went with the first answer as it was what I was looking for.

0 Karma
Reply
Solved! Jump to solution

rajadatta
New Member
‎06-16-2015 10:44 AM

Thanks this gives me the total failed as count. I can use this as well for another report.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-15-2015 05:39 PM

Like this:

index="atti" sourcetype="strongmail" mailingclass="smtpvhost1.yp.com" (source="/data1/strongmail/log/strongmail-retryfailed.log" OR source="/data1/strongmail/log/strongmail-failed.log") |stats count as NumberFailed by MailingId,Bouncetype
0 Karma
Reply
Solved! Jump to solution

rajadatta
New Member
‎06-16-2015 10:44 AM

Thanks this is what I needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...