Splunk Search

Report from multiple indexes

runiyal
Path Finder

I need to create a report based on three different search criteria from three different sources. But since its a reconciliation report from three different systems, I need to make sure I present it in one report itself.

index=abc host="server-abc*" "upload succeeded" env=prd 

index=klm host="server-klm*" "index file" "*_prd.xml" 

index=xyz host="server-xyz*" "file uploaded" "Status code  : {}200"

The output/report I am trying to achieve is -

Index   Count
abc    100
klm       89
xyz     98

Will appreciate your ideas to achieve this.

Tags (4)
0 Karma

tiagofbmm
Influencer

Try this

( index=abc host="server-abc*" "upload succeeded" env=prd ) OR ( index=klm host="server-klm*" "index file" "*_prd.xml" ) OR ( 
 index=xyz host="server-xyz*" "file uploaded" "Status code  : {}200") | stats count by index
0 Karma

runiyal
Path Finder

Thank tiagofbmm and what if I need to give another name to each index. Like instead of "abc", if I want to show custom name like "Indexer1" and so on?

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...