Splunk Search

How can I get the search work with multiple indexes

vl951f
Path Finder

I have the search to get max number of hours without events for feeds.

It works just for one index. It wouldn't work with more than one index. How can I get it work for multiple indexes?

index=feed1 OR index=feed2
| bucket _time span=1h
| stats count as event_count by _time, index
| search event_count!=0
| delta _time as mydelta
| eval number_of_zeros=floor(mydelta/3600)-1
| stats max(number_of_zeros) by index

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

When you are calculating delta there are different events which it's use based on one index or several. For that reason the delta between those events are different. You could get better result if you change in stats by to index, _time instead of _time, index (but it's not works 100% of time still, if will be broken when index changes from one to another). I afraid that you need to reformulate this query to get correct answer for several indexes.

You can check the events by commenting out the last stats statement and try to figure out the correct answer.

r. Ismo

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @vl951f,

are you sure that the field name is always the same in all indexes (upper and lowercase)?

If not, you have to add a command to your search:

index=feed1 OR index=feed2
| eval event_count=coalesce(event_count1, event_count2)
| bucket _time span=1h
| stats count as event_count by _time, index
| search event_count!=0
| delta _time as mydelta
| eval number_of_zeros=floor(mydelta/3600)-1
| stats max(number_of_zeros) by index

Please, when you insert code in your comments, please use the Insert/Edit code sample Button (</>).

Ciao.

Giuseppe

0 Karma

vl951f
Path Finder

I'm just counting the number of event for each hour for the index.

| bucket _time span=1h
| stats count as event_count by _time, index

It didn't use any other field names.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

"It wouldn't work" is not a problem description.  Your query works for me (using my own index names).  Well, it produces output, anyway.  I can't say if it truly works since you don't say what it's supposed to do.

What results do you get and what results do you expect?

---
If this reply helps you, Karma would be appreciated.
0 Karma

vl951f
Path Finder

Hi,

I'm trying to get the max number of hours with no events for the indexes.

It works when I did it for one index.

index=feed1
Result:
index max(number_of_zeros)
feed1 6

index=feed2
Result:
index max(number_of_zeros)
feed2 4

But got wrong results for more than one index:

index=feed1 OR index=feed2
Result:
index max(number_of_zeros)
feed1 1
feed2 2

0 Karma

isoutamo
SplunkTrust
SplunkTrust

When you are calculating delta there are different events which it's use based on one index or several. For that reason the delta between those events are different. You could get better result if you change in stats by to index, _time instead of _time, index (but it's not works 100% of time still, if will be broken when index changes from one to another). I afraid that you need to reformulate this query to get correct answer for several indexes.

You can check the events by commenting out the last stats statement and try to figure out the correct answer.

r. Ismo

vl951f
Path Finder

It works by changing "by _time,index" to "by index,_time"!

Thank you so much

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...