Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Retrieving stats from multiple summary reports

beaumaris
Communicator
‎04-04-2011 08:51 PM

What's the best way to retrieve stats from multiple reports in the summary index? We have a remote client that will use the REST API to run a search that should return 4 data points, each of which is a value calculated from a different report in our summary index. I thought we could use repeated "| search" commands but either I have the syntax incorrect or it isn't supported. As an example of the type of data being accessed:

index=summary report=unique_clients : contains Unique_Clients field which is #unique clients over time

index=summary report=4xx_errors : contains Num_Errors field which is # of 4* errors over time

I would like to run one search that combines the results of searches similar to the following:

index=summary report=unique_clients | stats sum(Unique_Clients) ...

index=summary report=4xx_errors | stats sum(NumErrors) ...

I want to return all 4 data points in one call to save on network overhead and also provide the data in a form useful to the remote client; it's silly to have them make 4 separate calls, and worse when we eventually need to return even more distinct data points to the remote clients. Thanks for any pointers,

Tom

Tags (1)
Reply

araitz
Splunk Employee
Splunk Employee
‎04-04-2011 09:56 PM

Why not keep it simple?

index=summary report=unique_clients OR report=4xx_errors 
| stats sum(Unique_Clients) as uc_sum sum(NumErrors) as ne_sum
Reply

sideview
SplunkTrust
SplunkTrust
‎04-05-2011 06:23 AM

a little bit of eval field1=if(isnull(field1),field2,field1) can go a long way to normalize different field spaces.

0 Karma
Reply

hazekamp
Builder
‎04-05-2011 12:07 AM

This should work as well as long as you don't have different split-by fields.

0 Karma
Reply

hazekamp
Builder
‎04-04-2011 09:48 PM

This would probably be done easiest w/ the 'append' search command like so:

index=summary report=unique_clients | stats sum(Unique_Clients) ... | append[search index=summary report=4xx_errors | stats sum(NumErrors) ...]

The only problem I forsee is figuring which rows should have values for which columns. It may be simple enough to ignore null column values for a given row.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...