Splunk Search

get count of subsearch and main search

sree6494
New Member

Iam trying to get a inner join result which looks some thing like if there are 100 unique fields from subsearch, I want to confirm if each field is present in the main search and get the count if presents. get count of subsearch and main search.

0 Karma

to4kawa
Ultra Champion
index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m 
| eval flag="DR"]
| stats count by flag

how about this?

0 Karma

sree6494
New Member

this is great, but the subsearch results aren't a subset of the main search results(based on the MessageID field), which is the challenge

0 Karma

to4kawa
Ultra Champion

I have no idea what log you want to count.

my answer result:

flag count
DR  xxx
SMS XXX

comparison:

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m 
| eval flag="DR"]
| stats count(eval(flag="SMS"))) as SMS count(eval(flag="DR"))) as DR
| eval compare = DR -SMS

this result:

DR  SMS compare
XXX YYY ZZ
0 Karma

to4kawa
Ultra Champion
0 Karma

sree6494
New Member

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| join type=inner MessageID [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m ]

here Im getting the results from my main search and mapping it with sub search. I am wondering how the count can be calculated for main search results and count for the join results.

0 Karma

sree6494
New Member

to4kawa - Iam able to do the inner join but struggling with getting the count. Are you suggesting the alternatives of join statement for this purpose?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...