Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to merge the results from two different indexes/sourcetypes.

Maniteja81
New Member
‎06-07-2018 11:30 AM

Hi,

I have two queries, one gives me the test-case names, test-id details and lsf jobid details. Another query gives me the details on how much memory and cpu that my test has consumed. But unfortunately the second query doesn't have the test-names and test-id details.

So i was trying out to merge the two queries to display the memory consumption values along with test-case names and other details. I have tried a sub search but it did not help much.
Can you please tell me is there anyother way to do this.

Here are the queries for reference:
1. index=qvmr_soc_r groupID=qvmr_hana thumb_print=bks_2018.04.23_00.55.01_san_qp200_e10_1_04_56478 job_type=run_job state=Done | stats list(test_name) as test_name list(vov_jobid) as jobid by thumb_print

  1. index=public365 sourcetype=json_flowtracer user=bks vov_project_name=bks_2018.04.23_00.54.31_vl_bks_gridsdca_113606 | stats list(vov_jobname) as jobname list(vov_job_reqram) as reqram list(vov_job_maxram) as maxram list(vov_job_maxswap) as maxswap list(vov_jobid) as Jobid by vov_project_name

Please help on this.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎06-07-2018 12:35 PM

The field in common seems to be vov_jobid.

This should roll together all the data for each vov_jobid. 

( index=qvmr_soc_r   
  groupID=qvmr_hana 
  thumb_print=bks_2018.04.23_00.55.01_san_qp200_e10_1_04_56478 
  job_type=run_job 
  state=Done)
 OR 
  (index=public365 
  sourcetype=json_flowtracer 
  user=bks 
  vov_project_name=bks_2018.04.23_00.54.31_vl_bks_gridsdca_113606)  

 | fields test_name thumb_print vov_jobid vov_jobname vov_job_reqram vov_job_maxram vov_job_maxswap vov_project_name
 | stats values(*) as * by vov_jobid

That should give you a set of records that look like this (some fields may be empty)

| fields _time vov_jobid test_name thumb_print vov_jobname vov_job_reqram vov_job_maxram vov_job_maxswap vov_project_name

Start from there and see where you end up.

0 Karma
Reply

DalJeanis
Legend
‎06-07-2018 12:24 PM

how would you, as a human, know that something on one report matched something on the other report?

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...