Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to join fields from two different indexes and times?

tpaulsen
Contributor
‎01-31-2013 10:32 AM

Hello,

i have to following problem.

I have one search, listing me some hosts and their matching environment, search range: all time.

index=idx_stats | top limit=10000 host,envi | fields - count,percent

And i have a second search, for the last 7 days, that delivers me the "per_host_thruput" from out of the Splunk _internal index. I want to match now those by host and day results with the list of host and environments above. How can i achieve that?

index="_internal" source="*metrics.log" group="per_host_thruput" | eval date=strftime(_time, "%F") | chart sum(kb) over series by date
0 Karma
Reply

lguinn2
Legend
‎01-31-2013 10:43 AM

There are several ways to do this, depending on how you want the resulting chart (or table?) to look. So more information would be helpful. But here is a start

index=idx_stats earliest=0
| stats values(envi) by host
| join host [ search index="_internal" source="*metrics.log" group="per_host_thruput" earliest=-7d
    | eval date=strftime(_time, "%F") 
    | rename series as host
    | chart sum(kb)  over host by date ]
0 Karma
Reply

lguinn2
Legend
‎02-02-2013 10:08 PM

Well, you are searching idx_stats over all time. How big is this index?

Second, do these searches work individually? How long do they take to run?

index=idx_stats earliest=0
| stats values(host) by envi

and

index="_internal" source="*metrics.log" group="per_host_thruput" earliest=-7d
| eval date=strftime(_time, "%F")
| rename series as host
| chart sum(kb) over host by date

0 Karma
Reply

tpaulsen
Contributor
‎01-31-2013 10:58 AM

Maybe...if i use a macro?

0 Karma
Reply

tpaulsen
Contributor
‎01-31-2013 10:48 AM

Hey, that was quick! Thank you.

I tried it the other way round, because i am interested in the GB not per Host but per "envi". But i didn´t get it to work. You suggested solution doesn´t unfortunately work either. I think the main problem are also the different time ranges for the search. The index=idx_stats search goes for a very long time, the other search is only 7 days.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...