Splunk Search

get count of subsearch and main search

sree6494
New Member

Iam trying to get a inner join result which looks some thing like if there are 100 unique fields from subsearch, I want to confirm if each field is present in the main search and get the count if presents. get count of subsearch and main search.

0 Karma

to4kawa
Ultra Champion
index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m 
| eval flag="DR"]
| stats count by flag

how about this?

0 Karma

sree6494
New Member

this is great, but the subsearch results aren't a subset of the main search results(based on the MessageID field), which is the challenge

0 Karma

to4kawa
Ultra Champion

I have no idea what log you want to count.

my answer result:

flag count
DR  xxx
SMS XXX

comparison:

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m 
| eval flag="DR"]
| stats count(eval(flag="SMS"))) as SMS count(eval(flag="DR"))) as DR
| eval compare = DR -SMS

this result:

DR  SMS compare
XXX YYY ZZ
0 Karma

to4kawa
Ultra Champion
0 Karma

sree6494
New Member

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| join type=inner MessageID [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m ]

here Im getting the results from my main search and mapping it with sub search. I am wondering how the count can be calculated for main search results and count for the join results.

0 Karma

sree6494
New Member

to4kawa - Iam able to do the inner join but struggling with getting the count. Are you suggesting the alternatives of join statement for this purpose?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...