Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add values from different Indexes?

diegomedinar
New Member
‎04-13-2022 10:26 AM

Hello,

 

I would like to add values from a search in one index and then to the result of another search from a different index to sum the results

Here is one search:

index=xxxxx_network_xxxxx | dedup host | stats count(host) as network

And here is another one:

index=xxxx_server_xxxxx | dedup host | stats count(host) as server

I need the value from network + server

Any ideas how to do this in one search for implementing a Dashboard?

Thanks,

Labels (1)
Labels
0 Karma
Reply

diegomedinar
New Member
‎04-13-2022 11:10 AM

Thank you! I just ran the following query, but shows no events, any idea? Excuse me because I´m new to this platform:

tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2022 12:06 PM

If you typed it in literarily as you wrote here - you didn't put the pipe sign at the beginning. It is important.

If you copy-paste the search (of course substituting your index names) as I wrote it - with the pipe at the start, it's treated as the tstats command with appropriate arguments. If you omit the leading pipe, the "tstats" word and most of the rest of the line is treated as arguments to the implicit search command.

So you need to do

| tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

not

tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2022 10:37 AM

That's not how you do it (at least if you want to do it effectively).

Firstly, there's no point in running dedup only to count the values in the next step. It's what dc() stats function is for.

Then if the only different condition in those searches is the index name, you can just search from both those indexes and do stats dc(host) by index. Then maybe do a simple substitution with eval so you don't see full index names.

But the most important thing is that host is an indexed field so you can do you can use tstats which is way way faster than normal searching and statsing. So just do

| tstats dc(host) by index where index=index1 OR index=index2

And that's all

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...