Splunk Search

How Can I Save Three Count Searches Separated And Then Use Them Together Later?

vtsguerrero
Contributor

I have some conditions for each search as follows:

Search A

index=users Channel=40 
| eval Token = User."-".Channel
| stats count by Token

Search B

index=mobile Code=5 OR Code=3 AND Mobile=1 OR Mobile=2
| stats count by Connection

Search C

index=mobile Code=5 OR Code=3 AND Mobile=5 OR Mobile=3 channel=*
| eval Token = user."-".channel
| stats count by Token

Should I save those counts separated? How can I do that...
My main table should show:

Search A count
Search B count
Search C count
Search A + Search B count
Search A + Search C count
Search B + Search C count
Search A + Search B + Search C count

It's like 3 queries inside one main query, but counts are different...
Note that in Search A Channel has an Upper case and in Search C it's lower case...

Tags (4)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

another approach is to run 3 searches and to save the results with a summary indexing or an outputlookup command.
then run a 4rd search retrieving the results from each of them (summary search, or inputlookup with appendcols/append)
Do not forget to add an extra column to your results for the value A/B/C to distinguish them

View solution in original post

yannK
Splunk Employee
Splunk Employee

another approach is to run 3 searches and to save the results with a summary indexing or an outputlookup command.
then run a 4rd search retrieving the results from each of them (summary search, or inputlookup with appendcols/append)
Do not forget to add an extra column to your results for the value A/B/C to distinguish them

vtsguerrero
Contributor

How can I make this subsearch test work?
I wanna make these fields the same or table'em together to start...

index="mobile" channel=* account=* 
[search index="main" Channel=* Account=*]
| table channel account Channel Account
0 Karma

yannK
Splunk Employee
Splunk Employee

Not really, to append a sub search use

 index="mobile" channel=* account=* 
| append [search index="main" Channel=* Account=*]
| table channel account Channel Account

If you want to group with a join on the channel and account

 index="mobile" channel=* account=* 
| join Channel Account [search index="main" Channel=* Account=* ]
| table channel account Channel Account

Remember the 10000 limit, a better solution is to do the stats in the subsearch before


But If all that you want is to get all the results in a single search, try

( index="mobile" channel=* account=* ) OR ( index="main" Channel=* Account=*) | stats count by Token index

vtsguerrero
Contributor

But In this case, will channel and account fields work as the same fields for both indexes? Considering that one is Uppercase and the other one is Lowercase, I should convert'em into a new field for a new index for example?
Thanks for the explanation @yannK

0 Karma

yannK
Splunk Employee
Splunk Employee

Yes, the field names are case sensitive.
So you could rename them and maybe add a detail on the origin, or normalize them and made the sum

 index="mobile" channel=* account=* | eval Channel_Mobile=channel | eval Account_Mobile=account 
 | append [search index="main" Channel=* Account=* | eval Channel_Main=Channel | eval Account_Main=Account ]
 | table Channel* Account*
0 Karma

vtsguerrero
Contributor

Got it, still don't know how to do it altough...
I can't do it via LookUp cuz of data amount is too high...
How would I create this new index mixing variables?
For example, I have Channel in index=A and ch in index=B, both acctually represent the same field same values but different indexes...
Sorry, I never used a subquery or saved search, how should I do that? Do I need to upload a new file or I use all searches in the same place?
Thanks in advance @yannK

0 Karma

vtsguerrero
Contributor

Should I use a kind of JOIN for this operation? Or do you think it's possible to make the whole search for all indexes just using subsearches?
I think a lookup for this search won't be possible cuz of the amount of data...
But, after I create a new index, summarized based on two indexes, how do I fill what data I want inside this new index coming from other previous two indexes...

0 Karma

yannK
Splunk Employee
Splunk Employee
0 Karma

vtsguerrero
Contributor

I have three searches and two indexes, is it possible, to make a dashboard that counts groupped stats over them?

0 Karma

tom_frotscher
Builder

Have you tried using subsearches and the append or appendcols searchcommand?

Appendcols

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...