Splunk Search

get count of subsearch and main search

New Member

Iam trying to get a inner join result which looks some thing like if there are 100 unique fields from subsearch, I want to confirm if each field is present in the main search and get the count if presents. get count of subsearch and main search.

0 Karma

Ultra Champion
index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m 
| eval flag="DR"]
| stats count by flag

how about this?

0 Karma

New Member

this is great, but the subsearch results aren't a subset of the main search results(based on the MessageID field), which is the challenge

0 Karma

Ultra Champion

I have no idea what log you want to count.

my answer result:

flag count
DR  xxx
SMS XXX

comparison:

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m 
| eval flag="DR"]
| stats count(eval(flag="SMS"))) as SMS count(eval(flag="DR"))) as DR
| eval compare = DR -SMS

this result:

DR  SMS compare
XXX YYY ZZ
0 Karma

Ultra Champion
0 Karma

New Member

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| join type=inner MessageID [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m ]

here Im getting the results from my main search and mapping it with sub search. I am wondering how the count can be calculated for main search results and count for the join results.

0 Karma

New Member

to4kawa - Iam able to do the inner join but struggling with getting the count. Are you suggesting the alternatives of join statement for this purpose?

0 Karma