Splunk Search

Help combining results from different searches, append vs. multisearch

New Member

Moderator Note: the below was originally posted as an Answer on an old question, but being it's own question it has been split out accordingly

index=testindex sourcetype=hostSoftware source="testindex://hostSoftware"  host=prod1* DisplayName="anysoftware*" host=prod1*  | dedup host, DisplayName | stats count(host) as #_of_Hosts_with_package by DisplayName, DisplayVersion | append [search index=testindex sourcetype=host source="testindex://hostSoftware"  host=prod1*| table host | search NOT [search iindex=testindex sourcetype=hostSoftware source="testindex://hostSoftware"  host=prod1* | search "DisplayName"="anysoftware*" | dedup host | table host] | rename host as Hosts_Missing_software | stats count(Hosts_Missing_software) as #_Hosts_Missing_LeostreamAgent, list(Hosts_Missing_software) as Hosts_Missing_software]

The append do not yeild all of the results due to maxout limit. So moving to multisearch.

I am trying to do same search with multisearch but not working. Any help is much appreciated. TIA

| multisearch [search index=testindex sourcetype=hostSoftware source="testindex://hostSoftware"  host=prod1*  | fields hos t| rename host as Hosts_raw_List | eval type="search1" ][index=testindex sourcetype=hostSoftware source="testindex://hostSoftware"  host=prod1* Name="Anysoftware*" | fields host Name Version | rename host as hostwithpack | eval type="search2" ] | eval result=search1-search2.

my search1 results 12 hosts. (total number of hosts available)
search 2 results 11 hosts (Hosts with software installed)

I am looking for results like in table:

"Name"    |  Version  |  #ofhosts withsoftware |     #of hosts without software |     list of hosts with no software"

can anyone pls help!

Tags (2)
0 Karma


why not just

index=testindex sourcetype=host source="testindex://hostSoftware"  host=prod1*  
| eval FoundSoftware=if(DisplayName="anysoftware*",1,0)
| chart max(FoundSoftware) by host DisplayName

That will give you a chart with 1's for each host for each software that was found, and 0 for each software not found on that host.

You can switch host and DisplayName if you prefer the opposite orientation.

Then you can use the above results to calculate the two pieces of information that you want.

It you want to untable the results into one record per host per DisplayName, then this command will achieve that.

| untable host DisplayName FoundSoftware
0 Karma


In moving this post, a comment providing more details from @psmp was lost:

Thanks for the reply.
index=powershell sourcetype=swlist source="powershell://cwlist" host=prod* | stats list(host)

This Query Yields 5 hosts.
Host 1

index=powershell sourcetype=swlist source="powershell://cwlist" host=prod* packagename="Mysoftware" | stats count(host) by packagename packageversion

host packageName packageVersion
Host1 Mysoftware 1.0
Host3 Mysoftware 1.1
Host5 Mysoftware 1.0

I am looking for a Query that Yields below report:

PackageName PackageVersion Totalhostswithpkg Totalhosts_without ListOfHostMissingPack

Mysoftware 1.0 2 2 Host2
Mysoftware 1.1 1 Host4

0 Karma