Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to do a match field between index and summary index Finding match TraceID

Cheng2Ready
Communicator
‎07-11-2025 01:51 PM

Without using a SubSearch since there is a limit of 10000 results


index="xxxx" field.type="xxx" OR index=Summary_index
| eventstats values(index) as sources by trace
| where mvcount(sources) > 1

| spath output=yyyId path=xxxId input=_raw
| where isnotnull(yyyId) ANDyyyId!=""
| bin _time span=5m AS hour_bucket
| stats latest(_time) as last_activity_in_hour, count by hour_bucket, yyyId
| stats count by hour_bucket
| sort hour_bucket
| rename hour_bucket AS _time
| timechart span=5m values(count) AS "Unique Customers per Hour"



Still doesn't return any results

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-11-2025 10:57 PM

1. We don't know neither your events nor your summary index contents.

2. There is much going on here. Try to avoid eventstats if possible. It's a "heavy" command and can run out of memory.

3. You bin by 5m but name your fields as if it was hourly.

4. You're generating several fields which you don't use later.

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2025 10:38 PM

Hi @Cheng2Ready ,

at first don't rename hour_bucket,

then don't use values in timechart command,

then why are you using all these stats?

at least why do you want to list all the values of count without the yyyId? what do you want to extract?

please try:

(index="xxxx" field.type="xxx") OR index=Summary_index
| eventstats values(index) as sources by trace
| where mvcount(sources) > 1
| spath output=yyyId path=xxxId input=_raw
| where isnotnull(yyyId) ANDyyyId!=""
| bin _time span=5m
| stats 
     latest(_time) AS last_activity_in_hour
     count 
     BY _time yyyId
| stats  values(count) AS "Unique Customers per Hour" BY _time

 Could you share more detals about your requirement?

Ciao.

Giuseppe

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2025 02:55 PM

Try removing lines from th end of the search, one at a time, until the results appear, then you will know which line is causing the problem.

If that doesn't work, try sharing some events from the index and the summary index to show us what you are dealing with.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Top