Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I do search between 2 different indexes?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I do search between 2 different indexes?
Think of this as a youtube scenario where I have 2 different indexes: viewerreport and videoreport. The viewerreport contains a column videoId, which I could use this Id to search for an event/video from videoreport index. A video could be watch by any user 1, 2, 100 times vary. The videoreport contains a column duration. How can I calculate the total duration of all the videos that users viewed?
Is this possible in splunk?
I have been trying this for 2 days and still can not come up with an answer. I can't think of a better way of doing this than for loop but so far I tried inputlookup, which doesn't actually fit the case. Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The best thing to do is to put the video details into a lookup file with a true-up scheduled search like this:
index=videoreport
| dedup videoid
| table duration videoid
| appendpipe [|inputlookup VideosAndDurations.csv]
| dedup videoid
| outputlookup VideosAndDurations.csv
Then use it to lookup in the other search like this:
index = viewerreport
| stats count BY videoid user
| lookup VideosAndDurations videoid OUTPUT duration
| eval video_total = duration * count
| stats sum(video_total) AS grand_total BY user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
|mulisearch
[ search index=videoreport
| dedup videoid
| table duration videoid ]
[ search index=viewerreport
| stats count BY videoid user
| eval user_count = user . "=" . count
| table user_count videoid ]
| stats values(*) AS * BY videoid
| mvexpand user_count
| rex field=user_count "^(?<user>[^=]+)=(?<count>[^=]+)$"
| eval video_total = duration * count
| stats sum(video_total) AS grand_total BY user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tamduong16,
if you want so sum durations of all IDs (field named "Id") in videoreport index it's easy:
index=videoreport
| stats sum(duration) AS Total_Duration BY Id
if instad you want to sum only IDs that are both in viewerreport and videoreport indexes, you could run this search
( I define that Id is named "Id" In videoreport and "videoId" in viewerreport, otherwise you have to rename fields in the correct way)
index=videoreport [ search index=viewerreport | rename videoId AS Id | dedup Id | fields Id ]
| stats sum(duration) AS Total_Duration BY Id
In this way, you use the subsearch (viewerreport index) to filter the main search (videoreport index) and then you can sum durations.
Bye.
Giuseppe
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Splunk App Dev Community Updates – What’s New and What’s Next
The Latest Cisco Integrations With Splunk Platform!
