Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Stats on 2 indexes

Satyapv
Engager
‎10-22-2023 12:09 PM

Hello,

I have 2 distinct indexes with distinct values.Want to create one final stats query from select fields of both indexes.

 

Ex :

Index A

Fields X Y Z

Stats Count (X) Avg(Y) by XYZ

Index B

feilds KM

stats Count (K) Max(M) by K M

i am able search both indexes  and give separate stats, If I give stats on all fields by XYZKM it is not giving any results.

Note: No common feilds between both index’s.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-22-2023 11:27 PM

Hi @Satyapv ,

as @yuanliu said, I don't understand why to put disomogeneous results in te same search.

Anyway, you could use the append command, but you'll have empty values in the columns of the other search:

index=IndexA
| stats Count(X) AS X Avg(Y) AS Y BY XYZ
| append [ search 
   index=IndexB
   | stats Count(K) AS K Max(M) AS M by KM ]

Ciao.

Giuseppe

0 Karma
Reply

Satyapv
Engager
‎10-22-2023 11:44 PM

 

thank you.


With huge dashboard looks like I am hitting maximum concurrent searches Splunk allows was try to see if I could combine.

would append [search…] would be started as new concurrent search?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-22-2023 09:18 PM

Forget Splunk.  If there are no common fields between indices, can you illustrate what the stats result would look like?  Please show some sample tables of field values in each index (in text, anonymize as needed).  Then, illustrate the corresponding output table (also in text) that you envision with the two data data tables.  If anonymizing data is difficult, illustrate mock data tables and calculate desired output table by hand, so volunteers can understand your use case.

Let me also point out that your illustrated mock code, "Stats Count (X) Avg(Y) by XYZ", is confusing because you mentioned no field named XYZ.  The other mock code, "stats Count (K) Max(M) by K M", also doesn't make sense because when you group by M, Max(M) can only have the value of that group M, unless K and M do not appear in the same event, in which case Max(M) is null.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...