How to combine two search results in a better way

dibyaranjan3177 · ‎12-18-2019

Hello,

I am trying to create a query which will help me combine results from two search results by doing this:

 index=some_index source="log_source" AND "Not Updated - sourceId" 
 | stats count as RejectedEvents 
 | appendcols [
     search index=some_index source="log_source" 
     | rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
     | stats sum(numberOfMessage) as ProcessedEvents
   ] 
 | eval total = ProcessedEvents + RejectedEvents
 | fields total

This query works fine, but is insanely slow. Any help on making this better?

woodcock · ‎12-18-2019

Try this:

index="some_index" AND source="log_source"
| rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
| stats sum(numberOfMessage) AS ProcessedEvents count AS total_raw count(eval(searchmatch("Not Updated - sourceId"))) AS RejectedEvents
| eval total_true = ProcessedEvents + RejectedEvents

richgalloway · ‎12-18-2019

This may be a little better.

(index=some_index source="log_source") OR (index=some_index source="log_source" "Not Updated - sourceId" )
| eval Rejected = if (match(_raw, "Not Updated - sourceId"), 1, 0)
| rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
| stats sum(Rejected) as RejectedEvents, sum(numberOfMessage) as ProcessedEvents
| eval total = ProcessedEvents + RejectedEvents
| fields total

---
If this reply helps you, Karma would be appreciated.

How to combine two search results in a better way

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases