Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine multiple searches to get result

celerickalyan11
New Member
‎08-07-2019 11:32 AM

Ex: 

index=newIndex   host="1.12.123.4*" "Field"="abcd"| stats count as totalcount | where totalcount >= 10

and 

index=newIndex   host="1.12.123.4*" "Field"="qwer"| stats count as totalcount | where totalcount >= 20
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2019 01:00 PM

index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer") | stats count as totalcount by Field | where ((Field="abcd" AND totalcount >= 10) OR (Field="qwer" and totalcount >= 20))

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-07-2019 03:24 PM

Do not use append. Do not use join. Here are a few good ways:

index=newIndex host="1.12.123.4*" AND (Field="abcd" OR Field="qwer")
| stats count as totalcount  BY Field
| where (Field="abcd" AND totalcount >= 10) OR (Field="qwer" AND totalcount >=20)

OR

index=newIndex host="1.12.123.4*" AND (Field="abcd" OR Field="qwer")
| stats count(eval(Field="abcd")) AS abcd count(eval(Field="qwer")) AS qwer
| where (abcd >= 10) OR (qwer >=20)
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎08-07-2019 01:04 PM

You may try this as well:

index=newIndex host="1.12.123.4*" "Field"="abcd" 
| stats count by totalcount 
| where count>=10 
| append 
    [ search index=newIndex host="1.12.123.4*" "Field"="qwer" 
    | stats count as totalcount 
    | where totalcount>=20 ]

OR

index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer") 
| stats count as totalcount by Field 
| where (Field="abcd" AND totalcount>=10) AND (Field="qwer" AND totalcount>=20)
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-07-2019 01:00 PM

index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer") | stats count as totalcount by Field | where ((Field="abcd" AND totalcount >= 10) OR (Field="qwer" and totalcount >= 20))

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rafaelsalazar
Path Finder
‎08-07-2019 01:47 PM

This is the right way.
Both append and join solutions not only are bad practices, but also if dataset is big enough, they will probably hit a conf limit and return less events.

0 Karma
Reply
Solved! Jump to solution

celerickalyan11
New Member
‎08-07-2019 01:58 PM

Thank you rafael, I think we are missing something in Where clause. Without Where clause I get the result but once I add where clause it throws no results though my count number is quite small.

0 Karma
Reply
Solved! Jump to solution

rafaelsalazar
Path Finder
‎08-07-2019 02:32 PM

Try instead of 10 or 20 a small number like 0 or 1

0 Karma
Reply
Solved! Jump to solution

celerickalyan11
New Member
‎08-07-2019 02:38 PM

Without Where clause I get 6000+ count , with where clause I get no result. I tried to lower the count like 0, 1. No luck

0 Karma
Reply
Solved! Jump to solution

celerickalyan11
New Member
‎08-07-2019 03:08 PM

Never mind, I got it. Renamed the field name as my field name has . in it

Thank you

0 Karma
Reply
Solved! Jump to solution

michael_schmidt
Path Finder
‎08-07-2019 12:57 PM

Try this on for size:

index=newIndex host="1.12.123.4*" "Field"="abcd"| stats count as totalcount | where totalcount >= 10 | join type=outer host [search index=newIndex host="1.12.123.4*" "Field"="qwer"| stats count as totalcount | where totalcount >= 20 ]
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...