Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to do a match field between index and summary index Finding match TraceID

Cheng2Ready
Communicator
‎07-11-2025 01:51 PM

Without using a SubSearch since there is a limit of 10000 results


index="xxxx" field.type="xxx" OR index=Summary_index
| eventstats values(index) as sources by trace
| where mvcount(sources) > 1

| spath output=yyyId path=xxxId input=_raw
| where isnotnull(yyyId) ANDyyyId!=""
| bin _time span=5m AS hour_bucket
| stats latest(_time) as last_activity_in_hour, count by hour_bucket, yyyId
| stats count by hour_bucket
| sort hour_bucket
| rename hour_bucket AS _time
| timechart span=5m values(count) AS "Unique Customers per Hour"



Still doesn't return any results

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-11-2025 10:57 PM

1. We don't know neither your events nor your summary index contents.

2. There is much going on here. Try to avoid eventstats if possible. It's a "heavy" command and can run out of memory.

3. You bin by 5m but name your fields as if it was hourly.

4. You're generating several fields which you don't use later.

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-11-2025 10:38 PM

Hi @Cheng2Ready ,

at first don't rename hour_bucket,

then don't use values in timechart command,

then why are you using all these stats?

at least why do you want to list all the values of count without the yyyId? what do you want to extract?

please try:

(index="xxxx" field.type="xxx") OR index=Summary_index
| eventstats values(index) as sources by trace
| where mvcount(sources) > 1
| spath output=yyyId path=xxxId input=_raw
| where isnotnull(yyyId) ANDyyyId!=""
| bin _time span=5m
| stats 
     latest(_time) AS last_activity_in_hour
     count 
     BY _time yyyId
| stats  values(count) AS "Unique Customers per Hour" BY _time

 Could you share more detals about your requirement?

Ciao.

Giuseppe

Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-11-2025 02:55 PM

Try removing lines from th end of the search, one at a time, until the results appear, then you will know which line is causing the problem.

If that doesn't work, try sharing some events from the index and the summary index to show us what you are dealing with.

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...