Re: Why is my stats search on 2 indexes not return... - Page 2

lohit · ‎04-22-2015

Hi all,

I have 2 indexes:
index="abc" with fields uri, a, b, c
and
index="xyz" with fields url, x, y, z

Now the fields url and uri have the same values in both indexes, but this is just a change in the field name.

I want to search both the indexes for all fields a, b, c, x, y, z by url

index="abc" or index="xyz" | eval url=uri | stats values(a),values(b), values(x), values(y) by url

Problem is it is only showing the fields a, b and not x, y in stats results.

any help !!

jeffland · ‎04-22-2015

You could try and see what your results look like before the stats command.
What exactly are you trying to achieve with the eval? If you want every event to have a url field, you might want to use coalesce to keep the data that is already in url for those events which don't have uri. If you want to see events where url=uri, you should use where.

juvetm · ‎04-22-2015

have you try to work with table commad

lohit · ‎04-22-2015

no table command wnt work.

lohit · ‎04-22-2015

I have url field in index="abc" and uri field in index="xyz" but their values are same , so i am searching for events in both indexes with url field and want to collect a,b,x,y,url in stats.

jeffland · ‎04-22-2015

If you really want to use stats, the suggestion from gyslainlatsa is pretty close to what you should do. But maybe you want this:

index="abc" or index="xyz" |eval url=coalesce(url,uri) |table a, b, c, x, y, z, url

lohit · ‎04-22-2015

simple table command will not work

Why is my stats search on 2 indexes not returning fields from one index?

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?