Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to do a match field between index and summary index Finding match TraceID

Cheng2Ready
Communicator
‎07-11-2025 01:51 PM

Without using a SubSearch since there is a limit of 10000 results


index="xxxx" field.type="xxx" OR index=Summary_index
| eventstats values(index) as sources by trace
| where mvcount(sources) > 1

| spath output=yyyId path=xxxId input=_raw
| where isnotnull(yyyId) ANDyyyId!=""
| bin _time span=5m AS hour_bucket
| stats latest(_time) as last_activity_in_hour, count by hour_bucket, yyyId
| stats count by hour_bucket
| sort hour_bucket
| rename hour_bucket AS _time
| timechart span=5m values(count) AS "Unique Customers per Hour"



Still doesn't return any results

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-11-2025 10:57 PM

1. We don't know neither your events nor your summary index contents.

2. There is much going on here. Try to avoid eventstats if possible. It's a "heavy" command and can run out of memory.

3. You bin by 5m but name your fields as if it was hourly.

4. You're generating several fields which you don't use later.

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2025 10:38 PM

Hi @Cheng2Ready ,

at first don't rename hour_bucket,

then don't use values in timechart command,

then why are you using all these stats?

at least why do you want to list all the values of count without the yyyId? what do you want to extract?

please try:

(index="xxxx" field.type="xxx") OR index=Summary_index
| eventstats values(index) as sources by trace
| where mvcount(sources) > 1
| spath output=yyyId path=xxxId input=_raw
| where isnotnull(yyyId) ANDyyyId!=""
| bin _time span=5m
| stats 
     latest(_time) AS last_activity_in_hour
     count 
     BY _time yyyId
| stats  values(count) AS "Unique Customers per Hour" BY _time

 Could you share more detals about your requirement?

Ciao.

Giuseppe

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2025 02:55 PM

Try removing lines from th end of the search, one at a time, until the results appear, then you will know which line is causing the problem.

If that doesn't work, try sharing some events from the index and the summary index to show us what you are dealing with.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...