Splunk Search

help on basic search with 2 index

jip31
Motivator

HIhi

why I have no resulys even if I merge 2 index even if I have results when I execute one or the other?
(index=ai-pe-* sourcetype="Perfmon:Mem OR index=ai-wmi-* sourcetype="WMI:Mem")
| fields host Value TotalPhysicalMemory
| eval FreeMemory = round(Value, 2). " MB"
| eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 2). " MB"

Tags (1)
0 Karma
1 Solution

nickhills
Ultra Champion

Your query currently gets interpreted as this:
(I'm also guessing there were *s in the index names - use the code formatter tool 101010 to avoid the html renderer removing them)

index=ai-pe-* AND (sourcetype="Perfmon:Mem OR index=ai-wmi-*) AND sourcetype="WMI:Mem"

Instead you want:

(index=ai-pe-* AND sourcetype="Perfmon:Mem) OR (index=ai-wmi-* AND sourcetype="WMI:Mem")

You can leave the ANDs out - I just added them for clairty

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma

nickhills
Ultra Champion

Your query currently gets interpreted as this:
(I'm also guessing there were *s in the index names - use the code formatter tool 101010 to avoid the html renderer removing them)

index=ai-pe-* AND (sourcetype="Perfmon:Mem OR index=ai-wmi-*) AND sourcetype="WMI:Mem"

Instead you want:

(index=ai-pe-* AND sourcetype="Perfmon:Mem) OR (index=ai-wmi-* AND sourcetype="WMI:Mem")

You can leave the ANDs out - I just added them for clairty

If my comment helps, please give it a thumbs up!
0 Karma

jip31
Motivator

you are right, thanks

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...