Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Stats on 2 indexes

Satyapv
Engager
‎10-22-2023 12:09 PM

Hello,

I have 2 distinct indexes with distinct values.Want to create one final stats query from select fields of both indexes.

 

Ex :

Index A

Fields X Y Z

Stats Count (X) Avg(Y) by XYZ

Index B

feilds KM

stats Count (K) Max(M) by K M

i am able search both indexes  and give separate stats, If I give stats on all fields by XYZKM it is not giving any results.

Note: No common feilds between both index’s.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-22-2023 11:27 PM

Hi @Satyapv ,

as @yuanliu said, I don't understand why to put disomogeneous results in te same search.

Anyway, you could use the append command, but you'll have empty values in the columns of the other search:

index=IndexA
| stats Count(X) AS X Avg(Y) AS Y BY XYZ
| append [ search 
   index=IndexB
   | stats Count(K) AS K Max(M) AS M by KM ]

Ciao.

Giuseppe

0 Karma
Reply

Satyapv
Engager
‎10-22-2023 11:44 PM

 

thank you.


With huge dashboard looks like I am hitting maximum concurrent searches Splunk allows was try to see if I could combine.

would append [search…] would be started as new concurrent search?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-22-2023 09:18 PM

Forget Splunk.  If there are no common fields between indices, can you illustrate what the stats result would look like?  Please show some sample tables of field values in each index (in text, anonymize as needed).  Then, illustrate the corresponding output table (also in text) that you envision with the two data data tables.  If anonymizing data is difficult, illustrate mock data tables and calculate desired output table by hand, so volunteers can understand your use case.

Let me also point out that your illustrated mock code, "Stats Count (X) Avg(Y) by XYZ", is confusing because you mentioned no field named XYZ.  The other mock code, "stats Count (K) Max(M) by K M", also doesn't make sense because when you group by M, Max(M) can only have the value of that group M, unless K and M do not appear in the same event, in which case Max(M) is null.

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...