Solved: Re: help on basic search with 2 index

jip31 · ‎02-18-2020

HIhi

why I have no resulys even if I merge 2 index even if I have results when I execute one or the other?
(index=ai-pe-* sourcetype="Perfmon:Mem OR index=ai-wmi-* sourcetype="WMI:Mem")
| fields host Value TotalPhysicalMemory
| eval FreeMemory = round(Value, 2). " MB"
| eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 2). " MB"

nickhills · ‎02-18-2020

Your query currently gets interpreted as this:
(I'm also guessing there were *s in the index names - use the code formatter tool 101010 to avoid the html renderer removing them)

index=ai-pe-* AND (sourcetype="Perfmon:Mem OR index=ai-wmi-*) AND sourcetype="WMI:Mem"

Instead you want:

(index=ai-pe-* AND sourcetype="Perfmon:Mem) OR (index=ai-wmi-* AND sourcetype="WMI:Mem")

You can leave the ANDs out - I just added them for clairty

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎02-18-2020

Your query currently gets interpreted as this:
(I'm also guessing there were *s in the index names - use the code formatter tool 101010 to avoid the html renderer removing them)

index=ai-pe-* AND (sourcetype="Perfmon:Mem OR index=ai-wmi-*) AND sourcetype="WMI:Mem"

Instead you want:

(index=ai-pe-* AND sourcetype="Perfmon:Mem) OR (index=ai-wmi-* AND sourcetype="WMI:Mem")

You can leave the ANDs out - I just added them for clairty

If my comment helps, please give it a thumbs up!

jip31 · ‎02-18-2020

you are right, thanks

help on basic search with 2 index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation