Splunk Search

How to join fields from two different indexes and times?

tpaulsen
Contributor

Hello,

i have to following problem.

I have one search, listing me some hosts and their matching environment, search range: all time.

index=idx_stats | top limit=10000 host,envi | fields - count,percent

And i have a second search, for the last 7 days, that delivers me the "per_host_thruput" from out of the Splunk _internal index. I want to match now those by host and day results with the list of host and environments above. How can i achieve that?

index="_internal" source="*metrics.log" group="per_host_thruput" | eval date=strftime(_time, "%F") | chart sum(kb) over series by date
0 Karma

lguinn2
Legend

There are several ways to do this, depending on how you want the resulting chart (or table?) to look. So more information would be helpful. But here is a start

index=idx_stats earliest=0
| stats values(envi) by host
| join host [ search index="_internal" source="*metrics.log" group="per_host_thruput" earliest=-7d
    | eval date=strftime(_time, "%F") 
    | rename series as host
    | chart sum(kb)  over host by date ]
0 Karma

lguinn2
Legend

Well, you are searching idx_stats over all time. How big is this index?

Second, do these searches work individually? How long do they take to run?

index=idx_stats earliest=0
| stats values(host) by envi

and

index="_internal" source="*metrics.log" group="per_host_thruput" earliest=-7d
| eval date=strftime(_time, "%F")
| rename series as host
| chart sum(kb) over host by date

0 Karma

tpaulsen
Contributor

Maybe...if i use a macro?

0 Karma

tpaulsen
Contributor

Hey, that was quick! Thank you.

I tried it the other way round, because i am interested in the GB not per Host but per "envi". But i didn´t get it to work. You suggested solution doesn´t unfortunately work either. I think the main problem are also the different time ranges for the search. The index=idx_stats search goes for a very long time, the other search is only 7 days.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...