Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add values from different Indexes?

diegomedinar
New Member
‎04-13-2022 10:26 AM

Hello,

 

I would like to add values from a search in one index and then to the result of another search from a different index to sum the results

Here is one search:

index=xxxxx_network_xxxxx | dedup host | stats count(host) as network

And here is another one:

index=xxxx_server_xxxxx | dedup host | stats count(host) as server

I need the value from network + server

Any ideas how to do this in one search for implementing a Dashboard?

Thanks,

Labels (1)
Labels
0 Karma
Reply

diegomedinar
New Member
‎04-13-2022 11:10 AM

Thank you! I just ran the following query, but shows no events, any idea? Excuse me because I´m new to this platform:

tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2022 12:06 PM

If you typed it in literarily as you wrote here - you didn't put the pipe sign at the beginning. It is important.

If you copy-paste the search (of course substituting your index names) as I wrote it - with the pipe at the start, it's treated as the tstats command with appropriate arguments. If you omit the leading pipe, the "tstats" word and most of the rest of the line is treated as arguments to the implicit search command.

So you need to do

| tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

not

tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2022 10:37 AM

That's not how you do it (at least if you want to do it effectively).

Firstly, there's no point in running dedup only to count the values in the next step. It's what dc() stats function is for.

Then if the only different condition in those searches is the index name, you can just search from both those indexes and do stats dc(host) by index. Then maybe do a simple substitution with eval so you don't see full index names.

But the most important thing is that host is an indexed field so you can do you can use tstats which is way way faster than normal searching and statsing. So just do

| tstats dc(host) by index where index=index1 OR index=index2

And that's all

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Extending Splunk AI Assistant for SPL to Splunk Enterprise customers!

Howdy Splunk Community! It’s an exciting day here at Splunk – Splunk AI Assistant for SPL version 1.3.0 is now ...

Developer Spotlight with Qmulos

Qmulos: Building a Next-Level Cybersecurity Business through Splunk Apps Qmulos started as a scrappy startup ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...
Top