Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to get the total count of tw...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
micave
New Member
01-18-2017
08:18 AM
I have two indexes that I need to search. For the first index, I need to count the total from a certain field however I need to dedup this field first. I have the same dilemma with the second index. I need to count the total but have to dedup as well. For example:
index=MyIndex1 OR index=MyIndex2 | dedup MyIndex1Field | dedup MyIndex2Field | stats count MyIndexField1 as Total1, count MyIndexField2 as Total2 | eval CalcField=(Total1/Total2)
There are some commands I will pipe in once I get this solved but for now just trying to figure this out. I keep getting issues when I dedup one or the other so the goal is to dedup both. Any help would be appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-18-2017
09:06 AM
Try like this
index=MyIndex1 OR index=MyIndex2 | eval commonfield=coalesce(MyIndex1Field ,MyIndex2Field) | dedup index commonfield | eval temp=1 | chart count(commonfield) over temp by index | fields - temp | rename MyIndex1 as Total1 Myindex2 as Total2 | eval CalcField=(Total1/Total2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
01-18-2017
09:08 AM
How about separating MyIndex1Field of MyIndex1 and MyIndex2Field of MyIndex2 for something like this and see if it works for you:
index=MyIndex1 | dedup MyIndex1Field | stats count as Total1
| append [ search index=MyIndex2 | dedup MyIndex2Field | stats count as Total2 ]
| eval CalcField=(Total1/Total2)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
micave
New Member
01-20-2017
12:48 PM
Tried the other solution first and it worked for me. Interested in also trying this. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
01-18-2017
09:06 AM
Try like this
index=MyIndex1 OR index=MyIndex2 | eval commonfield=coalesce(MyIndex1Field ,MyIndex2Field) | dedup index commonfield | eval temp=1 | chart count(commonfield) over temp by index | fields - temp | rename MyIndex1 as Total1 Myindex2 as Total2 | eval CalcField=(Total1/Total2)
Get Updates on the Splunk Community!
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
Splunk MCP & Agentic AI: Machine Data Without Limits
Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...
