Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to add values from different Indexes?

diegomedinar
New Member
‎04-13-2022 10:26 AM

Hello,

 

I would like to add values from a search in one index and then to the result of another search from a different index to sum the results

Here is one search:

index=xxxxx_network_xxxxx | dedup host | stats count(host) as network

And here is another one:

index=xxxx_server_xxxxx | dedup host | stats count(host) as server

I need the value from network + server

Any ideas how to do this in one search for implementing a Dashboard?

Thanks,

Labels (1)
Labels
0 Karma
Reply

diegomedinar
New Member
‎04-13-2022 11:10 AM

Thank you! I just ran the following query, but shows no events, any idea? Excuse me because I´m new to this platform:

tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2022 12:06 PM

If you typed it in literarily as you wrote here - you didn't put the pipe sign at the beginning. It is important.

If you copy-paste the search (of course substituting your index names) as I wrote it - with the pipe at the start, it's treated as the tstats command with appropriate arguments. If you omit the leading pipe, the "tstats" word and most of the rest of the line is treated as arguments to the implicit search command.

So you need to do

| tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

not

tstats dc(host) by index where index=xxxx_server_xxxx OR index=xxxx_network_xxxx

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-13-2022 10:37 AM

That's not how you do it (at least if you want to do it effectively).

Firstly, there's no point in running dedup only to count the values in the next step. It's what dc() stats function is for.

Then if the only different condition in those searches is the index name, you can just search from both those indexes and do stats dc(host) by index. Then maybe do a simple substitution with eval so you don't see full index names.

But the most important thing is that host is an indexed field so you can do you can use tstats which is way way faster than normal searching and statsing. So just do

| tstats dc(host) by index where index=index1 OR index=index2

And that's all

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...