Splunk Search
Highlighted

search in a multiple index at one go

Contributor

I want five keywords to search in 3 indexes named "one" , "two" , "three"

I want my output like :

keyword "one" "two" "three"
mumbai 5 3 2
kolkata 2 2 1
chennai 0 6 4

all the numeric fields are the no. of occurance of keyword in each index ( one, two and three)
Now, I am able to generate for "one" index , but If I run the same query for three index separately then 3 reports would be generated,but I want to create only one report , is there any way to search the same query for more than one index at a same time so that i can have above output

please help

Thanks

Tags (3)
0 Karma
Highlighted

Re: search in a multiple index at one go

SplunkTrust
SplunkTrust

I'm not sure if this is what you are looking for, but you could use the contingency keyword

sourcetype=foo | contingency keyword, index

It should output something like:

keyword one two three four TOTAL
Mumbai count count count count total_count
chennai count count count count total_count

http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Contingency

0 Karma
Highlighted

Re: search in a multiple index at one go

Contributor

I have one index created called "one" and m running my search on this index and I am getting the output as :
keyword "one"

mumbai 5
kolkata 2
chennai 0

for another index "two", my output would be

keyword "two"
mumbai 3

kolkata 2
chennai 6

So, I have two separate report with me..But instead of creating two reports I want to create only one report which would contain

keyword "one" "two"
mumbai 5 3
kolkata 2 2
chennai 6 4

I want this output..Please help !!

Hope you understood my requirement

Thanks
Abhay

0 Karma
Highlighted

Re: search in a multiple index at one go

SplunkTrust
SplunkTrust

If you are refering to Splunk indexes, you can throw them in the same search.

sourcetype=foo index=one OR index=two OR index=three

0 Karma
Highlighted

Re: search in a multiple index at one go

Contributor

but How can I bring them in the table together ?

0 Karma
Highlighted

Re: search in a multiple index at one go

SplunkTrust
SplunkTrust

By using the contingency command as mentioned earlier. You're entire search would be sourcetype=foo index=one OR index=two OR index=three|contingency keyword index

0 Karma