Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Retrieving stats from multiple summary reports

beaumaris
Communicator
‎04-04-2011 08:51 PM

What's the best way to retrieve stats from multiple reports in the summary index? We have a remote client that will use the REST API to run a search that should return 4 data points, each of which is a value calculated from a different report in our summary index. I thought we could use repeated "| search" commands but either I have the syntax incorrect or it isn't supported. As an example of the type of data being accessed:

index=summary report=unique_clients : contains Unique_Clients field which is #unique clients over time

index=summary report=4xx_errors : contains Num_Errors field which is # of 4* errors over time

I would like to run one search that combines the results of searches similar to the following:

index=summary report=unique_clients | stats sum(Unique_Clients) ...

index=summary report=4xx_errors | stats sum(NumErrors) ...

I want to return all 4 data points in one call to save on network overhead and also provide the data in a form useful to the remote client; it's silly to have them make 4 separate calls, and worse when we eventually need to return even more distinct data points to the remote clients. Thanks for any pointers,

Tom

Tags (1)
Reply

araitz
Splunk Employee
Splunk Employee
‎04-04-2011 09:56 PM

Why not keep it simple?

index=summary report=unique_clients OR report=4xx_errors 
| stats sum(Unique_Clients) as uc_sum sum(NumErrors) as ne_sum
Reply

sideview
SplunkTrust
SplunkTrust
‎04-05-2011 06:23 AM

a little bit of eval field1=if(isnull(field1),field2,field1) can go a long way to normalize different field spaces.

0 Karma
Reply

hazekamp
Builder
‎04-05-2011 12:07 AM

This should work as well as long as you don't have different split-by fields.

0 Karma
Reply

hazekamp
Builder
‎04-04-2011 09:48 PM

This would probably be done easiest w/ the 'append' search command like so:

index=summary report=unique_clients | stats sum(Unique_Clients) ... | append[search index=summary report=4xx_errors | stats sum(NumErrors) ...]

The only problem I forsee is figuring which rows should have values for which columns. It may be simple enough to ignore null column values for a given row.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...