Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to connect two different indexes by unique item code showing count / percent (with match) & (without match)?

timothytruax
Explorer
‎03-30-2018 09:10 AM
  • I have 2 indexes.
  • 1st index (Index1) has a unique item code (Item1) for an item when it enters a process.
  • 2nd index (Index2) should have the same unique item code (Item2) when the item exits the process.
  • I want to produce report showing a count / percent where the (Index1.Item1 = Index2.Item2) & where (Index1.Item1 <> Index2.Item2).

Please show examples of SPL if possible and thank you!

0 Karma
Reply

somesoni2
Revered Legend
‎04-01-2018 05:58 PM

Try something like this

(index=index1 other parts ) OR (index=index2 other parts)
| eval itemCode=coalesce(item1,item2)
| stats dc(index) as reportedBy by itemCode
| stats count as Count by reportedBy | eventstats sum(Count) as Total
| eval Percent=round(Count*100/Total,2)
| eval ItemType=if(reportedBy=2,"Common in Both Indexes","Unique in Both Indexes")
| table ItemType Count Percent
0 Karma
Reply

deepashri_123
Motivator
‎03-30-2018 09:36 AM

Hey@timothytruax,

Try something like this,
if item1 and item2 has same fields then
index=index1 OR index=index2 | rename item2 as item1 | stats count dc(index) AS dc by item1 | where dc>1 | stats count .
This will give you the count of items having common values.

Let me know if this helps!!

0 Karma
Reply

timothytruax
Explorer
‎03-30-2018 10:58 AM

Hey deepashri_123 -
What if there is possibility of duplicates in Index1 of the Item1 and possibility of duplicates in Index2 of Item2?
I want to be sure that Index1.Item1 is actually present in Index2.Item2.

0 Karma
Reply

deepashri_123
Motivator
‎03-30-2018 11:23 AM

This query should give you exact count of items having values in both indexes.
Even if there is duplication. Just to confirm you need count of items common or event count?
Event count will need some other approach.

0 Karma
Reply

timothytruax
Explorer
‎04-01-2018 04:45 PM

Hey deepashri_123 -
I tried entering this one below; naturally with my fields and it did not work - it just shows a count = 0.

index=index1 OR index=index2 | rename item2 as item1 | stats count dc(index) AS dc by item1 | where dc>1 | stats count .

Any other suggestions? I continue to try different approaches.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...