Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine two search results in a better way

dibyaranjan3177
New Member
‎12-18-2019 05:59 AM

Hello,

I am trying to create a query which will help me combine results from two search results by doing this:

 index=some_index source="log_source" AND "Not Updated - sourceId" 
 | stats count as RejectedEvents 
 | appendcols [
     search index=some_index source="log_source" 
     | rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
     | stats sum(numberOfMessage) as ProcessedEvents
   ] 
 | eval total = ProcessedEvents + RejectedEvents
 | fields total

This query works fine, but is insanely slow. Any help on making this better?

0 Karma
Reply

woodcock
Esteemed Legend
‎12-18-2019 12:17 PM

Try this:

index="some_index" AND source="log_source"
| rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
| stats sum(numberOfMessage) AS ProcessedEvents count AS total_raw count(eval(searchmatch("Not Updated - sourceId"))) AS RejectedEvents
| eval total_true = ProcessedEvents + RejectedEvents
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-18-2019 08:06 AM

This may be a little better.

(index=some_index source="log_source") OR (index=some_index source="log_source" "Not Updated - sourceId" )
| eval Rejected = if (match(_raw, "Not Updated - sourceId"), 1, 0)
| rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
| stats sum(Rejected) as RejectedEvents, sum(numberOfMessage) as ProcessedEvents
| eval total = ProcessedEvents + RejectedEvents
| fields total
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...