Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What will be the best possible to perform the following scenario simpler?

gokikrishnan198
New Member
‎08-01-2018 11:22 PM

Query1: index=IDX|stats count by ApplCode
Output:
ApplCode
1234567890
2345678901
3456789012
4567890123

Query2: index=IDX ApplCode=1234567890 | stats count by CustID ApplCode Status
ApplCode Status
1234567890 Submit
2345678901 Submit
3456789012 Complete
4567890123 Complete

In the above queries, Query1 output goes as input for Query2. For each value in the output of Query1 has to be checked with Query2 and its status has to be updated. What will be the best possible way make this step simpler?

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎08-02-2018 03:04 PM

Neither of those is the actual output format for those queries - there should be a count field.

Also, you are not going to get that exact output with that second language, unless the same status was on every record.

It might look like 

1234567890 Complete     5   
1234567890 Submit        12 
2345678901 Submit        27
3456789012 Complete      8
...

and so on.

In order to help you, we need more information about the underlying records, and what the purpose of each report is.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-02-2018 08:21 AM

Your example queries may be over-simplified, but you can probably use a single query along the lines of index=IDX | stats count by CustID ApplCode Status

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...