Splunk Search

How to search the rate of events in indexes A, B, C, D to to compare with the rate of events in index D?

lbogle
Contributor

Hello Splunkers,

I am trying to find a way to determine the rate of events of a single index compared to all non-internal indexes. There are numerous indexes, and so I am going to have to use a base search of
index=* NOT index=D | timechart span=1h count but then I need to overlay index=D | timechart span=1h count over the top of it for the timechart. I'm guessing I need to do an appendcols with the index=D data, but am unsure of syntax. Any suggestions?
Thanks!

Tags (3)

somesoni2
SplunkTrust
SplunkTrust

The answer by @Sideview is pretty much what you want. But since you're looking for just the event count by index, you can try a much faster way using tstats command, something like this

| tstats count WHERE index=* by index _time span=1h | eval whichIndex=if(index="D","D","All Others") | timechart span=1h sum(count) by whichIndex

chanmi2
Path Finder

You may try this:

index=* NOT index=D | timechart span=1h count| join _time [index=D | timechart span=1h count]

or

index=* | eval isD=if(index=="D", "T", "F") | timechart span=1h count(eval(isD="T")) as "D" count(eval(isD="F")) as "Others"
0 Karma

sideview
SplunkTrust
SplunkTrust

You can use the eval command to create a new field whose value is "B" vs "All Others, just like so:

index=* | eval whichIndex=if(index="B","B","All Others") | timechart count by whichIndex

And this is a far better way to do it than to use append or appendcols. In general if you have a use case where you feel like you need the join, append, or appendcols command, take a step back and look for a way to get the data off disk in only one fell swoop. The operative metaphors in join/append are very familiar to old SQL hands, but eval and stats are Splunk's most important commands by far.

A good flowchart and breakdown of overall Aggregation logic can be found here.

http://docs.splunk.com/Documentation/Splunk/6.2.5/Search/Abouteventcorrelation

lbogle
Contributor

Thanks sideview,
I appreciate the succint query. Very Splunky. 🙂
Thanks also for the reference material.
I was able to get the query working in two different ways and they both returned the same numbers which was cool.
Thanks!

0 Karma

ppablo
Retired

Hi @lbogle

Could you actually share the 2 different searches that both worked for other users to learn and see what you did? Also, be sure to click "Accept" below @sideview's answer to resolve the post. Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...