Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to connect two different indexes by unique item code showing count / percent (with match) & (without match)?

timothytruax
Explorer
‎03-30-2018 09:10 AM
  • I have 2 indexes.
  • 1st index (Index1) has a unique item code (Item1) for an item when it enters a process.
  • 2nd index (Index2) should have the same unique item code (Item2) when the item exits the process.
  • I want to produce report showing a count / percent where the (Index1.Item1 = Index2.Item2) & where (Index1.Item1 <> Index2.Item2).

Please show examples of SPL if possible and thank you!

0 Karma
Reply

somesoni2
Revered Legend
‎04-01-2018 05:58 PM

Try something like this

(index=index1 other parts ) OR (index=index2 other parts)
| eval itemCode=coalesce(item1,item2)
| stats dc(index) as reportedBy by itemCode
| stats count as Count by reportedBy | eventstats sum(Count) as Total
| eval Percent=round(Count*100/Total,2)
| eval ItemType=if(reportedBy=2,"Common in Both Indexes","Unique in Both Indexes")
| table ItemType Count Percent
0 Karma
Reply

deepashri_123
Motivator
‎03-30-2018 09:36 AM

Hey@timothytruax,

Try something like this,
if item1 and item2 has same fields then
index=index1 OR index=index2 | rename item2 as item1 | stats count dc(index) AS dc by item1 | where dc>1 | stats count .
This will give you the count of items having common values.

Let me know if this helps!!

0 Karma
Reply

timothytruax
Explorer
‎03-30-2018 10:58 AM

Hey deepashri_123 -
What if there is possibility of duplicates in Index1 of the Item1 and possibility of duplicates in Index2 of Item2?
I want to be sure that Index1.Item1 is actually present in Index2.Item2.

0 Karma
Reply

deepashri_123
Motivator
‎03-30-2018 11:23 AM

This query should give you exact count of items having values in both indexes.
Even if there is duplication. Just to confirm you need count of items common or event count?
Event count will need some other approach.

0 Karma
Reply

timothytruax
Explorer
‎04-01-2018 04:45 PM

Hey deepashri_123 -
I tried entering this one below; naturally with my fields and it did not work - it just shows a count = 0.

index=index1 OR index=index2 | rename item2 as item1 | stats count dc(index) AS dc by item1 | where dc>1 | stats count .

Any other suggestions? I continue to try different approaches.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...