Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search and compare three indexes in one search?

JoshuaJohn
Contributor
‎08-09-2016 08:20 AM

So I had an issue yesterday that was resolved, but ran into something similar that I cannot seem to find a solution to. I want my three indexes to display in one search.

Here are the three indexes:

index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator "Calling translate"
index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator "Message translation is successful"
index="nitro_prod_comm_email" INFO EmailType=Order_Confirmation

Getting them to display by index worked when I had two different indexes, but because two of the searches have the same index, it no longer works:

(index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator "Calling translate") OR (index="nitro_prod_comm_email" INFO EmailType=Order_Confirmation) earliest = -24h| stats count by index | replace nitro_prod_comm_pci with Calling_Translate, nitro_prod_comm_email with Email_Confirmed

Any solutions to get the three indexes to compare with each other?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-09-2016 08:41 AM

Try like this

(index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator ("Calling translate" OR "Message translation is successful")) OR (index="nitro_prod_comm_email" INFO EmailType=Order_Confirmation) earliest=-24h
| eval Type=case(index="nitro_prod_comm_email","Email_Confirmed",match(_raw,"Calling translate"),"Calling_Translate",true(),"Message_Translation_Success") | stats count by Type

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-10-2016 12:09 AM

try something like this

index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator "Calling translate" | eval nsearch="search1" | append [ search index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator "Message translation is successful" | eval nsearch="search2" ] | append [ search index="nitro_prod_comm_email" INFO EmailType=Order_Confirmation | eval nsearch="search3" ] | stats count by nsearch

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎08-09-2016 02:34 PM

Try this

(index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator ("Calling translate" OR "Message translation is successful")) OR (index="nitro_prod_comm_email" INFO EmailType=Order_Confirmation) earliest=-24h | rex "(?<status>translate|translation|Order_Confirmation)" | stats count by status | reanme translate AS Calling_Translate translation AS "Message translation is successful" Order_Confirmation AS Email_Confirmed
0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-09-2016 08:41 AM

Try like this

(index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator ("Calling translate" OR "Message translation is successful")) OR (index="nitro_prod_comm_email" INFO EmailType=Order_Confirmation) earliest=-24h
| eval Type=case(index="nitro_prod_comm_email","Email_Confirmed",match(_raw,"Calling translate"),"Calling_Translate",true(),"Message_Translation_Success") | stats count by Type
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎08-09-2016 08:45 AM

Thank you!

0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎08-09-2016 02:22 PM

So I have been trying this and it appears calling translate and message_translation_success are providing the exact same results but they shouldn't be and when tested individually they dont

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-15-2016 04:09 PM

Could you provide more info on "providing the exact same result but they shouldn't"?

0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎08-16-2016 06:44 AM

It was actually my error with the data, your method works just fine! Thank you.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2016 08:25 AM

Can you share samples from each index?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎08-09-2016 08:36 AM

They each provide the number ~10,000, slightly different for each of them I wanted to compare the differences in a piechart

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-09-2016 08:38 AM

I was wondering about field names. If there is a field common to the 3 event types then that could be used in the query in place of index.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎08-09-2016 08:23 AM

You can use a sub-search, only drawback is that its slow 

index=nitro_prod_comm_pci com.impl.AgnosticOmsTokenTranslator "Calling translate" [search index="nitro_prod_comm_email" INFO EmailType=Order_Confirmation) earliest = -24h| stats count by index | replace nitro_prod_comm_pci with Calling_Translate, nitro_prod_comm_email with Email_Confirmed]
0 Karma
Reply
Solved! Jump to solution

JoshuaJohn
Contributor
‎08-09-2016 08:34 AM

Using OR would work for that example, but I need ""Message translation is successful"" also which is why I cannot use the OR method or do stats count by index because the index is the same.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...