Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining and summing the results of two searches

rajadatta
New Member
‎06-15-2015 05:05 PM

Hi -

I have two searches that have the same fields exactly but from different sources.

I would like to join and sum the results and output

The searches:
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-retryfailed.log" mailingclass="smtpvhost1.yp.com"|stats count as NumberFailed by MailingId,Bouncetype

MailingId, Bouncetype, NumberFailed
12121,2004,2
12058,3004,4

index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" mailingclass="smtpvhost1.yp.com" |stats count as NumberFailed by MailingId,Bouncetype

MailingId, Bouncetype, NumberFailed
12121,2004,4
12058,3004,6

They return exactly as you see the same columns, I want combine(Sum) the results and output:

MailingId, Bouncetype, NumberFailed
12121,2004,6
12058,3004,10

Thanks.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-15-2015 05:39 PM

Like this:

index="atti" sourcetype="strongmail" mailingclass="smtpvhost1.yp.com" (source="/data1/strongmail/log/strongmail-retryfailed.log" OR source="/data1/strongmail/log/strongmail-failed.log") |stats count as NumberFailed by MailingId,Bouncetype

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎06-16-2015 02:28 AM

Hi rajadatta
Try the following query :

    |set union [search index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-retryfailed.log" mailingclass="smtpvhost1.yp.com"|stats count as NumberFailed by MailingId,Bouncetype  ] [search index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" mailingclass="smtpvhost1.yp.com" |stats count as NumberFailed by MailingId,Bouncetype ]|stats sum(NumberFailed) as total_NumberFailed
0 Karma
Reply
Solved! Jump to solution

rajadatta
New Member
‎06-16-2015 10:44 AM

Thanks for the help. I went with the first answer as it was what I was looking for.

0 Karma
Reply
Solved! Jump to solution

rajadatta
New Member
‎06-16-2015 10:44 AM

Thanks this gives me the total failed as count. I can use this as well for another report.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-15-2015 05:39 PM

Like this:

index="atti" sourcetype="strongmail" mailingclass="smtpvhost1.yp.com" (source="/data1/strongmail/log/strongmail-retryfailed.log" OR source="/data1/strongmail/log/strongmail-failed.log") |stats count as NumberFailed by MailingId,Bouncetype
0 Karma
Reply
Solved! Jump to solution

rajadatta
New Member
‎06-16-2015 10:44 AM

Thanks this is what I needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...