I have some conditions for each search as follows:
Search A
index=users Channel=40
| eval Token = User."-".Channel
| stats count by Token
Search B
index=mobile Code=5 OR Code=3 AND Mobile=1 OR Mobile=2
| stats count by Connection
Search C
index=mobile Code=5 OR Code=3 AND Mobile=5 OR Mobile=3 channel=*
| eval Token = user."-".channel
| stats count by Token
Should I save those counts separated? How can I do that...
My main table should show:
Search A count
Search B count
Search C count
Search A + Search B count
Search A + Search C count
Search B + Search C count
Search A + Search B + Search C count
It's like 3 queries inside one main query, but counts are different...
Note that in Search A Channel has an Upper case and in Search C it's lower case...
another approach is to run 3 searches and to save the results with a summary indexing or an outputlookup command.
then run a 4rd search retrieving the results from each of them (summary search, or inputlookup with appendcols/append)
Do not forget to add an extra column to your results for the value A/B/C to distinguish them
another approach is to run 3 searches and to save the results with a summary indexing or an outputlookup command.
then run a 4rd search retrieving the results from each of them (summary search, or inputlookup with appendcols/append)
Do not forget to add an extra column to your results for the value A/B/C to distinguish them
How can I make this subsearch test work?
I wanna make these fields the same or table'em together to start...
index="mobile" channel=* account=*
[search index="main" Channel=* Account=*]
| table channel account Channel Account
Not really, to append a sub search use
index="mobile" channel=* account=*
| append [search index="main" Channel=* Account=*]
| table channel account Channel Account
If you want to group with a join on the channel and account
index="mobile" channel=* account=*
| join Channel Account [search index="main" Channel=* Account=* ]
| table channel account Channel Account
Remember the 10000 limit, a better solution is to do the stats in the subsearch before
But If all that you want is to get all the results in a single search, try
( index="mobile" channel=* account=* ) OR ( index="main" Channel=* Account=*) | stats count by Token index
But In this case, will channel and account fields work as the same fields for both indexes? Considering that one is Uppercase and the other one is Lowercase, I should convert'em into a new field for a new index for example?
Thanks for the explanation @yannK
Yes, the field names are case sensitive.
So you could rename them and maybe add a detail on the origin, or normalize them and made the sum
index="mobile" channel=* account=* | eval Channel_Mobile=channel | eval Account_Mobile=account
| append [search index="main" Channel=* Account=* | eval Channel_Main=Channel | eval Account_Main=Account ]
| table Channel* Account*
Got it, still don't know how to do it altough...
I can't do it via LookUp cuz of data amount is too high...
How would I create this new index mixing variables?
For example, I have Channel in index=A and ch in index=B, both acctually represent the same field same values but different indexes...
Sorry, I never used a subquery or saved search, how should I do that? Do I need to upload a new file or I use all searches in the same place?
Thanks in advance @yannK
Should I use a kind of JOIN for this operation? Or do you think it's possible to make the whole search for all indexes just using subsearches?
I think a lookup for this search won't be possible cuz of the amount of data...
But, after I create a new index, summarized based on two indexes, how do I fill what data I want inside this new index coming from other previous two indexes...
Here are the docs for subsearches
http://docs.splunk.com/Documentation/Splunk/6.1.4/Search/Usesubsearchtocorrelateevents
Remember that they are limited to 10000 lines of result.
and for the lookups as a temporary storage
http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Outputlookup
http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Inputlookup
I have three searches and two indexes, is it possible, to make a dashboard that counts groupped stats over them?
Have you tried using subsearches and the append or appendcols searchcommand?