- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to connect two different indexes by unique ite...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to connect two different indexes by unique item code showing count / percent (with match) & (without match)?
- I have 2 indexes.
- 1st index (Index1) has a unique item code (Item1) for an item when it enters a process.
- 2nd index (Index2) should have the same unique item code (Item2) when the item exits the process.
- I want to produce report showing a count / percent where the (Index1.Item1 = Index2.Item2) & where (Index1.Item1 <> Index2.Item2).
Please show examples of SPL if possible and thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
(index=index1 other parts ) OR (index=index2 other parts)
| eval itemCode=coalesce(item1,item2)
| stats dc(index) as reportedBy by itemCode
| stats count as Count by reportedBy | eventstats sum(Count) as Total
| eval Percent=round(Count*100/Total,2)
| eval ItemType=if(reportedBy=2,"Common in Both Indexes","Unique in Both Indexes")
| table ItemType Count Percent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey@timothytruax,
Try something like this,
if item1 and item2 has same fields then
index=index1 OR index=index2 | rename item2 as item1 | stats count dc(index) AS dc by item1 | where dc>1 | stats count .
This will give you the count of items having common values.
Let me know if this helps!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey deepashri_123 -
What if there is possibility of duplicates in Index1 of the Item1 and possibility of duplicates in Index2 of Item2?
I want to be sure that Index1.Item1 is actually present in Index2.Item2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This query should give you exact count of items having values in both indexes.
Even if there is duplication. Just to confirm you need count of items common or event count?
Event count will need some other approach.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey deepashri_123 -
I tried entering this one below; naturally with my fields and it did not work - it just shows a count = 0.
index=index1 OR index=index2 | rename item2 as item1 | stats count dc(index) AS dc by item1 | where dc>1 | stats count .
Any other suggestions? I continue to try different approaches.
Wondering How to Build Resiliency in the Cloud?
Updated Data Management and AWS GDI Inventory in Splunk Observability
Introducing the Splunk Community Dashboard Challenge!
