Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Stats on 2 indexes

Satyapv
Engager
‎10-22-2023 12:09 PM

Hello,

I have 2 distinct indexes with distinct values.Want to create one final stats query from select fields of both indexes.

 

Ex :

Index A

Fields X Y Z

Stats Count (X) Avg(Y) by XYZ

Index B

feilds KM

stats Count (K) Max(M) by K M

i am able search both indexes  and give separate stats, If I give stats on all fields by XYZKM it is not giving any results.

Note: No common feilds between both index’s.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-22-2023 11:27 PM

Hi @Satyapv ,

as @yuanliu said, I don't understand why to put disomogeneous results in te same search.

Anyway, you could use the append command, but you'll have empty values in the columns of the other search:

index=IndexA
| stats Count(X) AS X Avg(Y) AS Y BY XYZ
| append [ search 
   index=IndexB
   | stats Count(K) AS K Max(M) AS M by KM ]

Ciao.

Giuseppe

0 Karma
Reply

Satyapv
Engager
‎10-22-2023 11:44 PM

 

thank you.


With huge dashboard looks like I am hitting maximum concurrent searches Splunk allows was try to see if I could combine.

would append [search…] would be started as new concurrent search?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-22-2023 09:18 PM

Forget Splunk.  If there are no common fields between indices, can you illustrate what the stats result would look like?  Please show some sample tables of field values in each index (in text, anonymize as needed).  Then, illustrate the corresponding output table (also in text) that you envision with the two data data tables.  If anonymizing data is difficult, illustrate mock data tables and calculate desired output table by hand, so volunteers can understand your use case.

Let me also point out that your illustrated mock code, "Stats Count (X) Avg(Y) by XYZ", is confusing because you mentioned no field named XYZ.  The other mock code, "stats Count (K) Max(M) by K M", also doesn't make sense because when you group by M, Max(M) can only have the value of that group M, unless K and M do not appear in the same event, in which case Max(M) is null.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...