Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to aggregate results based on a set of values

alejandrome
New Member
‎01-09-2020 05:57 AM

Hello all,

I have the following query:

index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" | table _time, resultValue1, resultValue2, resultValue3 | sort _time

Quick explanation of the fields:

  1. attr1/2: these are some filters which have constants. Those are "irrelevant" to my problem right now.
  2. filterCriteria: The above query has one value as a filter, but I need to filter by two values. This means something like filterCriteria in("Criteria1", "Criteria2").

For achieving this, I tried to use join of two separate queries, based on the filterCriteria attribute, like this:

index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" | join filterCriteria [search index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria2"] | table _time, resultValue1, resultValue2, resultValue3 | sort _time

But it seems that it's returning only the values of the last part of the join instead.

resultValue1/2/3 are fields with values shared by both queries, so they can be aggregated.

Is there a most efficient/another way to achieve this filtering by multivalued / in-like criteria?

Thanks in advance!

0 Karma
Reply

TISKAR
Builder
‎01-09-2020 08:09 AM

Hello,

Why you don't use the IN to filter request:

index=_internal name IN ("management","ingest")

in your case:

index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" | table _time, resultValue1, resultValue2, resultValue3 | sort _time
0 Karma
Reply

to4kawa
Ultra Champion
‎01-09-2020 06:47 AM 
(index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" ) OR (index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria2" ) 
| stats values(_time) as _time , values(resultValue1) as resultValues1, values(resultValue2) as resultValues2, values(resultValue3) as resultValues3 by filterCriteria 
| sort _time

try stats with by .

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top