Splunk Search

How to combine multiple searches to get result

celerickalyan11
New Member

Ex:

index=newIndex   host="1.12.123.4*" "Field"="abcd"| stats count as totalcount | where totalcount >= 10        

and

index=newIndex   host="1.12.123.4*" "Field"="qwer"| stats count as totalcount | where totalcount >= 20  
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer") | stats count as totalcount by Field | where ((Field="abcd" AND totalcount >= 10) OR (Field="qwer" and totalcount >= 20))

---
If this reply helps you, Karma would be appreciated.

View solution in original post

woodcock
Esteemed Legend

Do not use append. Do not use join. Here are a few good ways:

index=newIndex host="1.12.123.4*" AND (Field="abcd" OR Field="qwer")
| stats count as totalcount  BY Field
| where (Field="abcd" AND totalcount >= 10) OR (Field="qwer" AND totalcount >=20)

OR

index=newIndex host="1.12.123.4*" AND (Field="abcd" OR Field="qwer")
| stats count(eval(Field="abcd")) AS abcd count(eval(Field="qwer")) AS qwer
| where (abcd >= 10) OR (qwer >=20)

mayurr98
Super Champion

You may try this as well:

index=newIndex host="1.12.123.4*" "Field"="abcd" 
| stats count by totalcount 
| where count>=10 
| append 
    [ search index=newIndex host="1.12.123.4*" "Field"="qwer" 
    | stats count as totalcount 
    | where totalcount>=20 ]

OR

index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer") 
| stats count as totalcount by Field 
| where (Field="abcd" AND totalcount>=10) AND (Field="qwer" AND totalcount>=20)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

index=newIndex host="1.12.123.4*" (Field="abcd" OR Field="qwer") | stats count as totalcount by Field | where ((Field="abcd" AND totalcount >= 10) OR (Field="qwer" and totalcount >= 20))

---
If this reply helps you, Karma would be appreciated.

rafaelsalazar
Path Finder

This is the right way.
Both append and join solutions not only are bad practices, but also if dataset is big enough, they will probably hit a conf limit and return less events.

0 Karma

celerickalyan11
New Member

Thank you rafael, I think we are missing something in Where clause. Without Where clause I get the result but once I add where clause it throws no results though my count number is quite small.

0 Karma

rafaelsalazar
Path Finder

Try instead of 10 or 20 a small number like 0 or 1

0 Karma

celerickalyan11
New Member

Without Where clause I get 6000+ count , with where clause I get no result. I tried to lower the count like 0, 1. No luck

0 Karma

celerickalyan11
New Member

Never mind, I got it. Renamed the field name as my field name has . in it

Thank you

0 Karma

michael_schmidt
Path Finder

Try this on for size:

index=newIndex host="1.12.123.4*" "Field"="abcd"| stats count as totalcount | where totalcount >= 10 | join type=outer host [search index=newIndex host="1.12.123.4*" "Field"="qwer"| stats count as totalcount | where totalcount >= 20 ]
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...