Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add values from different Indexes?

diegomedinar
New Member
‎04-13-2022 10:26 AM

Hello,

 

I would like to add values from a search in one index and then to the result of another search from a different index to sum the results

Here is one search:

index=xxxxx_network_xxxxx | dedup host | stats count(host) as network

And here is another one:

index=xxxx_server_xxxxx | dedup host | stats count(host) as server

I need the value from network + server

Any ideas how to do this in one search for implementing a Dashboard?

Thanks,

Labels (1)
Labels
0 Karma
Reply

diegomedinar
New Member
‎04-13-2022 11:10 AM

Thank you! I just ran the following query, but shows no events, any idea? Excuse me because I´m new to this platform:

tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2022 12:06 PM

If you typed it in literarily as you wrote here - you didn't put the pipe sign at the beginning. It is important.

If you copy-paste the search (of course substituting your index names) as I wrote it - with the pipe at the start, it's treated as the tstats command with appropriate arguments. If you omit the leading pipe, the "tstats" word and most of the rest of the line is treated as arguments to the implicit search command.

So you need to do

| tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

not

tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2022 10:37 AM

That's not how you do it (at least if you want to do it effectively).

Firstly, there's no point in running dedup only to count the values in the next step. It's what dc() stats function is for.

Then if the only different condition in those searches is the index name, you can just search from both those indexes and do stats dc(host) by index. Then maybe do a simple substitution with eval so you don't see full index names.

But the most important thing is that host is an indexed field so you can do you can use tstats which is way way faster than normal searching and statsing. So just do

| tstats dc(host) by index where index=index1 OR index=index2

And that's all

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

  Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...