Splunk Search
Highlighted

Retrieving stats from multiple summary reports

Communicator

What's the best way to retrieve stats from multiple reports in the summary index? We have a remote client that will use the REST API to run a search that should return 4 data points, each of which is a value calculated from a different report in our summary index. I thought we could use repeated "| search" commands but either I have the syntax incorrect or it isn't supported. As an example of the type of data being accessed:

index=summary report=unique_clients : contains Unique_Clients field which is #unique clients over time

index=summary report=4xx_errors : contains Num_Errors field which is # of 4* errors over time

I would like to run one search that combines the results of searches similar to the following:

index=summary report=unique_clients | stats sum(Unique_Clients) ...

index=summary report=4xx_errors | stats sum(NumErrors) ...

I want to return all 4 data points in one call to save on network overhead and also provide the data in a form useful to the remote client; it's silly to have them make 4 separate calls, and worse when we eventually need to return even more distinct data points to the remote clients. Thanks for any pointers,

Tom

Tags (1)
Highlighted

Re: Retrieving stats from multiple summary reports

Builder

This would probably be done easiest w/ the 'append' search command like so:

index=summary report=unique_clients | stats sum(Unique_Clients) ... | append[search index=summary report=4xx_errors | stats sum(NumErrors) ...]

The only problem I forsee is figuring which rows should have values for which columns. It may be simple enough to ignore null column values for a given row.

0 Karma

Re: Retrieving stats from multiple summary reports

Splunk Employee
Splunk Employee

Why not keep it simple?

index=summary report=unique_clients OR report=4xx_errors 
| stats sum(Unique_Clients) as uc_sum sum(NumErrors) as ne_sum
Highlighted

Re: Retrieving stats from multiple summary reports

Builder

This should work as well as long as you don't have different split-by fields.

0 Karma
Highlighted

Re: Retrieving stats from multiple summary reports

SplunkTrust
SplunkTrust

a little bit of eval field1=if(isnull(field1),field2,field1) can go a long way to normalize different field spaces.

0 Karma