Re: Use of output from two indexes

aksampat · ‎05-23-2017

Hi,

I need some help with building a query where the output comes from two different indexes.
Index1:
index=A sourcetype=B | eval cpu_used=1-cpu_idle | eval totalcpu = cpu_used*100

Index2:
index=C sourcetype=D timechart count span=1m AS REQ

Now I need to combine these two and do totalcpu/REQ
How to do this?

Thanks,
Amit

aksampat · ‎05-24-2017

Thank you all

inventsekar · ‎05-24-2017

Hi Aksampat, as you are a new member, thought to remind you - Can you please accept as answer.. maybe an upvote for the unaccepted answer

inventsekar · ‎05-24-2017

Hi Aksampat, as you are a new member, thought to remind you - Can you please accept as answer.. maybe an upvote for the unaccepted answer

inventsekar · ‎05-23-2017

following MuS's great post, lets check this one -

index=A OR index=C sourcetype=B OR sourcetype=D 
| eval cpu_used=1-cpu_idle | eval totalcpu = cpu_used*100 | stats values(count) AS REQ 
| eval result = totalcpu/REQ

MuS · ‎05-23-2017

Hi aksampat,

I will not solve your problem right now, BUT a good starting point is this answer https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo... or the awesome March 2016 post on this page http://wiki.splunk.com/Virtual_.conf

Keep pushing and use stats to the limits 😉

Hope this helps ...

cheers, MuS

Use of output from two indexes

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases