- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combining and summing the results of two searches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi -
I have two searches that have the same fields exactly but from different sources.
I would like to join and sum the results and output
The searches:
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-retryfailed.log" mailingclass="smtpvhost1.yp.com"|stats count as NumberFailed by MailingId,Bouncetype
MailingId, Bouncetype, NumberFailed
12121,2004,2
12058,3004,4
index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" mailingclass="smtpvhost1.yp.com" |stats count as NumberFailed by MailingId,Bouncetype
MailingId, Bouncetype, NumberFailed
12121,2004,4
12058,3004,6
They return exactly as you see the same columns, I want combine(Sum) the results and output:
MailingId, Bouncetype, NumberFailed
12121,2004,6
12058,3004,10
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index="atti" sourcetype="strongmail" mailingclass="smtpvhost1.yp.com" (source="/data1/strongmail/log/strongmail-retryfailed.log" OR source="/data1/strongmail/log/strongmail-failed.log") |stats count as NumberFailed by MailingId,Bouncetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rajadatta
Try the following query :
|set union [search index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-retryfailed.log" mailingclass="smtpvhost1.yp.com"|stats count as NumberFailed by MailingId,Bouncetype ] [search index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" mailingclass="smtpvhost1.yp.com" |stats count as NumberFailed by MailingId,Bouncetype ]|stats sum(NumberFailed) as total_NumberFailed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help. I went with the first answer as it was what I was looking for.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this gives me the total failed as count. I can use this as well for another report.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index="atti" sourcetype="strongmail" mailingclass="smtpvhost1.yp.com" (source="/data1/strongmail/log/strongmail-retryfailed.log" OR source="/data1/strongmail/log/strongmail-failed.log") |stats count as NumberFailed by MailingId,Bouncetype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks this is what I needed.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
