How to search multiple indexes and display results...

carlpier · ‎02-09-2015

Hello,

I am looking for a way to play in a single table the results of two different indexes.
The two searches are:

index="imwaccesslog" sourcetype="IMWAccessLog" URI = /nbd-rest/rest/mch/inquiry/Inquiry/recuperaProfiloUtente | stats count Max(ETsec)

AND

index="nbdrest-performance" sourcetype="PerfNBDCustomTSV" Service =  DBDisposizioniServiceImpl.recuperaProfiloUtenteBOL | stats count Max(ETms)

Any help would be greatly appreciated.

Thanks in advance!

MuS · ‎02-09-2015

Hi carlpier,

Something like this sould work:

 index="imwaccesslog" OR index=nbdrest-performance sourcetype="IMWAccessLog" OR sourcetype="PerfNBDCustomTSV" URI=/nbd-rest/rest/mch/inquiry/Inquiry/recuperaProfiloUtente OR Service=DBDisposizioniServiceImpl.recuperaProfiloUtenteBOL | stats count Max(ETms) Max(ETsec)

Hope this helps to get you started ...

cheers, MuS

carlpier · ‎02-09-2015

thanks, I would like to separate the two counts by adding a where conditions for both searches:

eventstats perc95(ETsec) as resp_time_95_L by FIELD1 | where ETsec < resp_time_95_L | chart count avg(ETsec) stdev(ETsec) range(ETsec) min(ETsec) max(ETsec) by FIELD1| sort count | reverse

and

eventstats perc95(ETms) as resp_time_95_P by FIELD2 | where ETms < resp_time_95_P | chart count
avg(ETms) stdev(ETms) range(ETms) min(ETms) max(ETms) by FIELD2| sort count | reverse

How to search multiple indexes and display results in a single table?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor