Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine results of two stats searches into one so summary information can be displayed in one pie-chart

TMazurek
New Member
‎10-21-2016 04:33 AM

I have two searches:

1st search:
index=main sourcetype=ab_alerts | rename ab_alerts.AlertID as AlertID, ab_alerts.SWArea as AVSWArea | stats dc(AlertID) by AVSWArea

that gives output:
alt text

2nd search:
index=main sourcetype=ab_siem_alarms | rename ab_siem_alarms.AlarmId as AlarmID, ab_siem_alarms.SWArea as SWArea | stats dc(AlarmID) by SWArea

that gives output:
alt text

My goal is to add results of both searches so I can display them on as summarized value of both parsed by SWArea

Tags (2)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

sundareshr
Legend
‎10-21-2016 05:21 AM

How about this

 (index=main sourcetype=ab_alerts) OR (index=main sourcetype=ab_siem_alarms)
 | rename ab_alerts.AlertID as ID,  ab_alerts.SWArea as SWArea, ab_siem_alarms.AlarmId as ID,  ab_siem_alarms.SWArea as SWArea 
 | chart dc(ID) over SWArea by sourcetype
0 Karma
Reply

TMazurek
New Member
‎10-21-2016 05:44 AM

it give same result as javiergn search
only events from sourcetype=ab_siem_alarms are displayed

on top of that what if AlertID and AlarmId will have same value i.e. 11111 ? It should give me count two not one

0 Karma
Reply

javiergn
SplunkTrust
SplunkTrust
‎10-21-2016 04:49 AM

If I understand correctly you just want to combine the results of both searches into one table.
If that's the case this is what I would do:

(index=main sourcetype=ab_alerts) OR (index=main sourcetype=ab_siem_alarms)
| rename 
    ab_alerts.AlertID as ID, 
    ab_alerts.SWArea as SWArea, 
    ab_siem_alarms.AlarmId as ID, 
    ab_siem_alarms.SWArea as SWArea 
| stats dc(ID) by SWArea, sourcetype

Or you can simply remove the group by sourcetype if you don't want to display this field.

Thanks,
J

0 Karma
Reply

TMazurek
New Member
‎10-21-2016 05:13 AM

this one return only records from ab_siem_alarms
furthermore, imagine that AlertID and AlarmId are numeric value. If there will be i.e. Alert 11111 and Alarm 11111 it gives only 1 as distinct count and in fact there are two. Distinct count should show distinct values in sourcetype=ab_alerts and sourcetype=ab_siem_alarms

0 Karma
Reply

javiergn
SplunkTrust
SplunkTrust
‎10-21-2016 06:17 AM

That's the reason I was grouping by sourcetype too in the stats.

In any case, I can't really reproduce your issue without knowing a bit more about how your data looks like.
Would you be happy to post here 2-3 events from each sourcetype?

0 Karma
Reply

inventsekar
Super Champion
‎10-21-2016 04:43 AM

i hope stats can have more than one "by" clause. 

index=main sourcetype=ab_alerts OR sourcetype=ab_siem_alarms
| rename ab_alerts.AlertID as AlertID, ab_alerts.SWArea as AVSWArea ab_siem_alarms.AlarmId as AlarmID, ab_siem_alarms.SWArea as SWArea
| stats dc(AlertID) by AVSWArea, dc(AlarmID) by SWArea
0 Karma
Reply

TMazurek
New Member
‎10-21-2016 05:10 AM

well it doesnt work at all - 0 results

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...