What will be the best possible to perform the foll...

gokikrishnan198 · ‎08-01-2018

Query1: index=IDX|stats count by ApplCode
Output:
ApplCode
1234567890
2345678901
3456789012
4567890123

Query2: index=IDX ApplCode=1234567890 | stats count by CustID ApplCode Status
ApplCode Status
1234567890 Submit
2345678901 Submit
3456789012 Complete
4567890123 Complete

In the above queries, Query1 output goes as input for Query2. For each value in the output of Query1 has to be checked with Query2 and its status has to be updated. What will be the best possible way make this step simpler?

DalJeanis · ‎08-02-2018

Neither of those is the actual output format for those queries - there should be a count field.

Also, you are not going to get that exact output with that second language, unless the same status was on every record.

It might look like

1234567890 Complete     5   
1234567890 Submit        12 
2345678901 Submit        27
3456789012 Complete      8
...

and so on.

In order to help you, we need more information about the underlying records, and what the purpose of each report is.

richgalloway · ‎08-02-2018

Your example queries may be over-simplified, but you can probably use a single query along the lines of index=IDX | stats count by CustID ApplCode Status

---
If this reply helps you, Karma would be appreciated.

What will be the best possible to perform the following scenario simpler?

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM