Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Report from multiple indexes

runiyal
Path Finder
‎07-09-2019 01:16 PM

I need to create a report based on three different search criteria from three different sources. But since its a reconciliation report from three different systems, I need to make sure I present it in one report itself.

index=abc host="server-abc*" "upload succeeded" env=prd 

index=klm host="server-klm*" "index file" "*_prd.xml" 

index=xyz host="server-xyz*" "file uploaded" "Status code  : {}200"

The output/report I am trying to achieve is -

Index   Count
abc    100
klm       89
xyz     98

Will appreciate your ideas to achieve this.

Tags (4)
0 Karma
Reply

tiagofbmm
Influencer
‎07-09-2019 01:20 PM

Try this

( index=abc host="server-abc*" "upload succeeded" env=prd ) OR ( index=klm host="server-klm*" "index file" "*_prd.xml" ) OR ( 
 index=xyz host="server-xyz*" "file uploaded" "Status code  : {}200") | stats count by index
0 Karma
Reply

runiyal
Path Finder
‎07-09-2019 02:05 PM

Thank tiagofbmm and what if I need to give another name to each index. Like instead of "abc", if I want to show custom name like "Indexer1" and so on?

0 Karma
Reply
Get Updates on the Splunk Community!

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

What's New in Splunk Observability - October 2025

What’s New?    We’re excited to announce the latest enhancements to Splunk Observability Cloud and share ...