Splunk Search

How do you count Unique IDs, in both indexes, based on a specific event?

diegofavoretto
New Member

I am trying to get Unique IDs (appears in both indexes) but I only want to count if there is event_name="AccountFinalized OR event_name="AccountActivated" in index 1 AND event_name="Deposit" in index 2.

(index=capi_event event_name="AccountFinalized" OR event_name="AccountActivated" account_id ) OR (index=piq_event ) | join type=inner  "account_id" [search index=piq_event event_name="DEPOSIT" account_id state!="WAITING_INPUT"] | stats dc(account_id) AS uniqueID dc(status) AS uniqueStatus count(state) AS State by event_name | 
Tags (2)
0 Karma

valiquet
Contributor

(index=capi_event event_name="AccountFinalized" OR event_name="AccountActivated" account_id ) AND ( index=piq_event event_name="DEPOSIT" account_id state!="WAITING_INPUT")
| stats values(account_id)

0 Karma

whrg
Motivator

Hello @diegofavoretto,

You can use a subsearch to filter for IDs in the second index:

index=capi_event event_name="AccountFinalized" OR event_name="AccountActivated" [search index=piq_event event_name="DEPOSIT" | table account_id]
| stats ...
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...