Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Retrieving stats from multiple summary reports

beaumaris
Communicator
‎04-04-2011 08:51 PM

What's the best way to retrieve stats from multiple reports in the summary index? We have a remote client that will use the REST API to run a search that should return 4 data points, each of which is a value calculated from a different report in our summary index. I thought we could use repeated "| search" commands but either I have the syntax incorrect or it isn't supported. As an example of the type of data being accessed:

index=summary report=unique_clients : contains Unique_Clients field which is #unique clients over time

index=summary report=4xx_errors : contains Num_Errors field which is # of 4* errors over time

I would like to run one search that combines the results of searches similar to the following:

index=summary report=unique_clients | stats sum(Unique_Clients) ...

index=summary report=4xx_errors | stats sum(NumErrors) ...

I want to return all 4 data points in one call to save on network overhead and also provide the data in a form useful to the remote client; it's silly to have them make 4 separate calls, and worse when we eventually need to return even more distinct data points to the remote clients. Thanks for any pointers,

Tom

Tags (1)
Reply

araitz
Splunk Employee
Splunk Employee
‎04-04-2011 09:56 PM

Why not keep it simple?

index=summary report=unique_clients OR report=4xx_errors 
| stats sum(Unique_Clients) as uc_sum sum(NumErrors) as ne_sum
Reply

sideview
SplunkTrust
SplunkTrust
‎04-05-2011 06:23 AM

a little bit of eval field1=if(isnull(field1),field2,field1) can go a long way to normalize different field spaces.

0 Karma
Reply

hazekamp
Builder
‎04-05-2011 12:07 AM

This should work as well as long as you don't have different split-by fields.

0 Karma
Reply

hazekamp
Builder
‎04-04-2011 09:48 PM

This would probably be done easiest w/ the 'append' search command like so:

index=summary report=unique_clients | stats sum(Unique_Clients) ... | append[search index=summary report=4xx_errors | stats sum(NumErrors) ...]

The only problem I forsee is figuring which rows should have values for which columns. It may be simple enough to ignore null column values for a given row.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...