Solved: help on basic search with 2 index

jip31 · ‎02-18-2020

HIhi

why I have no resulys even if I merge 2 index even if I have results when I execute one or the other?
(index=ai-pe-* sourcetype="Perfmon:Mem OR index=ai-wmi-* sourcetype="WMI:Mem")
| fields host Value TotalPhysicalMemory
| eval FreeMemory = round(Value, 2). " MB"
| eval TotalMemory = round((TotalPhysicalMemory / 1024 / 1024), 2). " MB"

nickhills · ‎02-18-2020

Your query currently gets interpreted as this:
(I'm also guessing there were *s in the index names - use the code formatter tool 101010 to avoid the html renderer removing them)

index=ai-pe-* AND (sourcetype="Perfmon:Mem OR index=ai-wmi-*) AND sourcetype="WMI:Mem"

Instead you want:

(index=ai-pe-* AND sourcetype="Perfmon:Mem) OR (index=ai-wmi-* AND sourcetype="WMI:Mem")

You can leave the ANDs out - I just added them for clairty

If my comment helps, please give it a thumbs up!

View solution in original post

nickhills · ‎02-18-2020

Your query currently gets interpreted as this:
(I'm also guessing there were *s in the index names - use the code formatter tool 101010 to avoid the html renderer removing them)

index=ai-pe-* AND (sourcetype="Perfmon:Mem OR index=ai-wmi-*) AND sourcetype="WMI:Mem"

Instead you want:

(index=ai-pe-* AND sourcetype="Perfmon:Mem) OR (index=ai-wmi-* AND sourcetype="WMI:Mem")

You can leave the ANDs out - I just added them for clairty

If my comment helps, please give it a thumbs up!

jip31 · ‎02-18-2020

you are right, thanks

help on basic search with 2 index

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms