How to count field values from two indexes and plo...

tp92222 · ‎03-03-2016

I have 2 indexes: index=report and index=fixed

Both have the same field ticket. When a ticket is reported, it goes in both indexes, but when that ticket is resolved, it just gets removed from fixed index.

Now I wanted to compare how many tickets where there before January and how many are still remaining and plot them on a graph.

Example

index=report contains:
ticket
1
2
3
4
5

index=fixed contains:
ticket
1
4
5

It should give output as:

total count=5
remain=3

and plot this on a graph.

woodcock · ‎03-03-2016

Try this base search:

index=report OR index=fixed | stats dc(index) AS Indices values(*) AS * by index

From there you can add any where indices ... clause that you like followed by another stats (or eventstats) clause to wrap it up.

fdi01 · ‎03-03-2016

try like :

 (index=report) OR(index=fixed) |stats count as total_count by  index

chimell · ‎03-03-2016

Hi
try this

index=report |stats count(ticket) as total_count |appendcols[search index=fixed |stats count(ticket) as remain]

in visualisation tab choose for example Bar chart

gyslainlatsa · ‎03-03-2016

hi tp92222,

i don't understand very well your problem, explain your problem in a simple way and tell us exactly what you want.

cordially

How to count field values from two indexes and plot this on a graph?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

How to count field values from two indexes and plot this on a graph?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers