Splunk Search

Combine the count from 1 search to the result of another search

agolkar
Explorer

Hello everyone,

I have one search that is showing me a list of IP addresses of addresses. Lets call the field of IP addresses "Name":

  index="IP_list" sourcetype="sourcetype_IP_list" | table Name Location

I get the output of:

 Name                                 Location
---------------                 --------------------
192.168.1.3                       basement
192.168.1.5                       attic
192.168.1.8                       garage

I have another search that is showing me something about the servers if that server has more than 1 of that thing. In this search, the server IP is called "IP"
Here is an example:

index="server_info" thing>0 | stats count by IP

I get the output of:

IP                      count
--------------          -------------
192.168.1.3                 4
192.168.1.5                 8
192.168.1.8                 2

How could I combine these 2 searches to I get a table that shows the IP (Name), location, and the count?

0 Karma

Vijeta
Influencer

Try this -

index="IP_list" sourcetype="sourcetype_IP_list" | stats values(Location)  as Location by Name |join Name[search index="server_info" thing>0 | stats count by IP| rename IP as Name]
0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Try this

index="IP_list" sourcetype="sourcetype_IP_list" 
| eval IP = Name
| fields IP Location 
| append [ search index="server_info" thing > 0 | stats count by IP]
| stats latest(count) as count values(Location) by IP

Hope this helps!

agolkar
Explorer

I feel like its so close! Its getting me the right columns but the count field is empty for every IP.....

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Does this search work correctly search index="server_info" thing > 0 | stats count by IP ?

Secondly, what happens if you try changing the last line to this: | stats values(count) as count values(Location) by IP

agolkar
Explorer
search index="server_info" thing > 0 | stats count by IP

Does work.

Changing the last line worked! I now see the correct counts! However I noticed one weird thing. If I add the location to the first line of the search ex:
index="IP_list" sourcetype="sourcetype_IP_list" Location="basement"

It still shows all results/counts but leaves the location of other places empty and just shows the location for servers located in "basement" any ideas on how to fix this? Thank you for the help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...