Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Multi Index combination

jerinvarghese
Communicator
‎10-16-2020 07:40 AM

Hi All,

Need to combine 2 index together and also need the values to be added/summed together.

Code 1 : 

 

index=nw_syslog message_type="BGP-5-ADJCHANGE"
| stats count by nodelabel, message_type
| table nodelabel, message_type, count

 

Table 1 : 

nodelabelmessage_typecount
AOKBFBGP PEER LOST2
CMPRSBGP PEER LOST2

 

Code 2: 

 

index=opennms 
| stats count by nodelabel, message_type
| table nodelabel, message_type, count

 

Table 2: 

nodelabelmessage_typecount
AOKBFBGP PEER LOST3
CMPRSBGP PEER LOST3

 

I used append and also  join type=outer nodelabel  but the value is not added.

 

Expected  Table Final : 

nodelabelmessage_typecount
AOKBFBGP PEER LOST5
CMPRSBGP PEER LOST5
Labels (5)
Labels
0 Karma
Reply

jerinvarghese
Communicator
‎10-20-2020 06:18 AM

Hi @gcusello ,

 

Got another solution 

 

index=nw_syslog message_type="BGP-5-ADJCHANGE"
| table nodelabel, message_type, count

| append [ search index=opennms 
| table nodelabel, message_type, count ]

| stats count by nodelabel, message_type, count

 

 

this provided me the desired value. thanks so much for your suggestion too. that to helped me in the result.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 07:16 AM

Hi @jerinvarghese,

your solution is like mine, but beware if the second search could have more than 50,000 results, because there's this limit in subsearches.

then beware to use the same field name for count.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-16-2020 08:03 AM

Hi @jerinvarghese,

if you have the same field names in both indexes is easier you can think:

(index=nw_syslog message_type="BGP-5-ADJCHANGE") OR (index=opennms)
| stats count BY nodelabel message_type
| table nodelabel, message_type, count

if instead you have different field names, you have to rename them to have the same field names.

In this way, you haven't the limit of 50,000 results in subsearches that you'd have using join or append.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...