Splunk Search

Merging results from two different searches in one fill chart

Path Finder

My company is currently trying to archive a large amount of older files; however, new files are coming in daily. We would like to know our percentage of files that have been archived is versus the total (to include the new images). I have both search results, but I can't seem to put them together. I'm pretty new to Splunk, and I tried using a join but I couldn't seem to figure it out so any assistance would be appreciated. Thank you in advance.

Search 1:
sourcetype="log.txt-3" status="*" | stats count as currProc | eval totalProc=(currProc+1525036) | eval percentage=round(totalProc*100/34937175,1) | stats sum(percentage)

Search 2:
source="C:\xxxxxx\serverstatus.log" successWrite="*" | stats count as new | eval totalDCM=(new+34937175) | stats sum(totalDCM)

My goal is to add Search 2 to the percentage area, since Search 1 already does the percentage calculations.

Tags (2)
0 Karma
1 Solution

Path Finder

I dont know if this is the most efficient way to do things, but here is how I merged two searches:

sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-7d@m latest=now | bucket _time span=1d | stats count by _time | stats avg(count) as AverageCountPerDay | eval AveragePerDay=round(AverageCountPerDay, 0) | fields - AverageCountPerDay | eval search=[search sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-24h@m latest=now | stats count(src_ip_zbfw) | rename count(src_ip_zbfw) as search] | rename search as today | eval Diff=today-AveragePerDay | eval Today=Diff/today*100 | fieldformat "PercentChange" = tostring(round(Today,2))."%" | table PercentChange,today,Today

You will see the 2nd search here: "eval search=[search sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-24h@m latest=now | stats count(src_ip_zbfw) | rename count(src_ip_zbfw) as search]"

View solution in original post

0 Karma

Path Finder

I dont know if this is the most efficient way to do things, but here is how I merged two searches:

sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-7d@m latest=now | bucket _time span=1d | stats count by _time | stats avg(count) as AverageCountPerDay | eval AveragePerDay=round(AverageCountPerDay, 0) | fields - AverageCountPerDay | eval search=[search sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-24h@m latest=now | stats count(src_ip_zbfw) | rename count(src_ip_zbfw) as search] | rename search as today | eval Diff=today-AveragePerDay | eval Today=Diff/today*100 | fieldformat "PercentChange" = tostring(round(Today,2))."%" | table PercentChange,today,Today

You will see the 2nd search here: "eval search=[search sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-24h@m latest=now | stats count(src_ip_zbfw) | rename count(src_ip_zbfw) as search]"

0 Karma

Path Finder

That worked...thanks. I really appreciate it. My final search string was:

sourcetype="log.txt-3" status="*" | stats count as currProc | eval totalProc=(currProc+1525036) | eval search=[search source="C:\\xxxxx\\serverstatus.log" successWrite="*" | chart count as total | eval search=(total+34937175)] | rename search as totalDCM | eval percentage=round(totalProc*100/totalDCM,1) | stats sum(percentage)

Thanks again!!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...