Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to merge two counts into one search

power12
Communicator
‎02-16-2023 10:40 AM

Hello Splunkers,

 

I have the following raw data

2023-02-15T12:43:06.774603-08:00 abc OpenSM[727419]: osm_spst_rcv_process: Switch 0x900a84030060ae40 MF0;www:MQM9700/U1 port 29 changed state from DOWN to INIT #012

2023-02-15T12:42:02.861268-08:00 abc OpenSM[727419]: osm_spst_rcv_process: Switch 0x900a84030060ae40 MF0;www:MQM9700/U1 port 29 changed state from ACTIVE to DOWN #012

I am using the below regex

 

index=abc "ACTIVE to DOWN #012"  host=ufmc-ndr* Switch IN(*)   port IN(*)
| stats count by   Switch port 
| rename count as "ACTIVE to DOWN  Count"
| appendcols
    [search index=abc "DOWN to INIT #012"  host=ufmc-ndr* Switch IN(*)   port IN(*)
| stats count by   Switch port | rename count as "DOWN to INIT Count"]
| sort - "ACTIVE to DOWN  Count"

 

 

I am trying to count the total events with "ACTIVE TO DOWN" by switch and port and also for "DOWN TO INIT"...If i run the search separately I am getting the correct count but when I join both its not showing correct values .

I want to have A table panel with fields Switch port  "ACTIVE to DOWN Count" " DOWN to INIT Count"

Thanks in Advance 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-16-2023 11:04 AM

Yet another case where appendcols is not the answer!

Try something like this

index=abc "ACTIVE to DOWN #012" OR "DOWN to INIT #012" host=ufmc-ndr* Switch IN(*)   port IN(*)
| stats count(eval(match(_raw, "ACTIVE to DOWN #012"))) as "ACTIVE to DOWN Count" count(eval(match(_raw, "DOWN to INIT #012"))) as "DOWN to INIT Count" by Switch port 
| sort - "ACTIVE to DOWN Count"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-16-2023 11:04 AM

Yet another case where appendcols is not the answer!

Try something like this

index=abc "ACTIVE to DOWN #012" OR "DOWN to INIT #012" host=ufmc-ndr* Switch IN(*)   port IN(*)
| stats count(eval(match(_raw, "ACTIVE to DOWN #012"))) as "ACTIVE to DOWN Count" count(eval(match(_raw, "DOWN to INIT #012"))) as "DOWN to INIT Count" by Switch port 
| sort - "ACTIVE to DOWN Count"
Reply
Solved! Jump to solution

power12
Communicator
‎02-16-2023 11:10 AM

@ITWhisperer  Thanks that worked.

I used join and it worked but yours is way simple.

index=abc ....| replace "ACTIVE to DOWN #012" with "ACTIVE to DOWN Count" IN State | replace "DOWN to INIT #012" with "DOWN to INIT Count" IN State
| chart count over Switch by State
| join
    [search index=abc  
| stats count by Switch port] 
| fields Switch port "ACTIVE to DOWN Count" "DOWN to INIT Count"
0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...