Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multi Index combination

jerinvarghese
Communicator
‎10-16-2020 07:40 AM

Hi All,

Need to combine 2 index together and also need the values to be added/summed together.

Code 1 : 

 

index=nw_syslog message_type="BGP-5-ADJCHANGE"
| stats count by nodelabel, message_type
| table nodelabel, message_type, count

 

Table 1 : 

nodelabelmessage_typecount
AOKBFBGP PEER LOST2
CMPRSBGP PEER LOST2

 

Code 2: 

 

index=opennms 
| stats count by nodelabel, message_type
| table nodelabel, message_type, count

 

Table 2: 

nodelabelmessage_typecount
AOKBFBGP PEER LOST3
CMPRSBGP PEER LOST3

 

I used append and also  join type=outer nodelabel  but the value is not added.

 

Expected  Table Final : 

nodelabelmessage_typecount
AOKBFBGP PEER LOST5
CMPRSBGP PEER LOST5
Labels (5)
Labels
0 Karma
Reply

jerinvarghese
Communicator
‎10-20-2020 06:18 AM

Hi @gcusello ,

 

Got another solution 

 

index=nw_syslog message_type="BGP-5-ADJCHANGE"
| table nodelabel, message_type, count

| append [ search index=opennms 
| table nodelabel, message_type, count ]

| stats count by nodelabel, message_type, count

 

 

this provided me the desired value. thanks so much for your suggestion too. that to helped me in the result.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 07:16 AM

Hi @jerinvarghese,

your solution is like mine, but beware if the second search could have more than 50,000 results, because there's this limit in subsearches.

then beware to use the same field name for count.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-16-2020 08:03 AM

Hi @jerinvarghese,

if you have the same field names in both indexes is easier you can think:

(index=nw_syslog message_type="BGP-5-ADJCHANGE") OR (index=opennms)
| stats count BY nodelabel message_type
| table nodelabel, message_type, count

if instead you have different field names, you have to rename them to have the same field names.

In this way, you haven't the limit of 50,000 results in subsearches that you'd have using join or append.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...