- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Merging results from two different searches in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My company is currently trying to archive a large amount of older files; however, new files are coming in daily. We would like to know our percentage of files that have been archived is versus the total (to include the new images). I have both search results, but I can't seem to put them together. I'm pretty new to Splunk, and I tried using a join but I couldn't seem to figure it out so any assistance would be appreciated. Thank you in advance.
Search 1:
sourcetype="log.txt-3" status="*" | stats count as currProc | eval totalProc=(currProc+1525036) | eval percentage=round(totalProc*100/34937175,1) | stats sum(percentage)
Search 2:
source="C:\xxxxxx\serverstatus.log" successWrite="*" | stats count as new | eval totalDCM=(new+34937175) | stats sum(totalDCM)
My goal is to add Search 2 to the percentage area, since Search 1 already does the percentage calculations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont know if this is the most efficient way to do things, but here is how I merged two searches:
sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-7d@m latest=now | bucket _time span=1d | stats count by _time | stats avg(count) as AverageCountPerDay | eval AveragePerDay=round(AverageCountPerDay, 0) | fields - AverageCountPerDay | eval search=[search sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-24h@m latest=now | stats count(src_ip_zbfw) | rename count(src_ip_zbfw) as search] | rename search as today | eval Diff=today-AveragePerDay | eval Today=Diff/today*100 | fieldformat "PercentChange" = tostring(round(Today,2))."%" | table PercentChange,today,Today
You will see the 2nd search here: "eval search=[search sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-24h@m latest=now | stats count(src_ip_zbfw) | rename count(src_ip_zbfw) as search]"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont know if this is the most efficient way to do things, but here is how I merged two searches:
sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-7d@m latest=now | bucket _time span=1d | stats count by _time | stats avg(count) as AverageCountPerDay | eval AveragePerDay=round(AverageCountPerDay, 0) | fields - AverageCountPerDay | eval search=[search sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-24h@m latest=now | stats count(src_ip_zbfw) | rename count(src_ip_zbfw) as search] | rename search as today | eval Diff=today-AveragePerDay | eval Today=Diff/today*100 | fieldformat "PercentChange" = tostring(round(Today,2))."%" | table PercentChange,today,Today
You will see the 2nd search here: "eval search=[search sourcetype=cisco:ios AND %FW-6-DROP_PKT earliest=-24h@m latest=now | stats count(src_ip_zbfw) | rename count(src_ip_zbfw) as search]"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked...thanks. I really appreciate it. My final search string was:
sourcetype="log.txt-3" status="*" | stats count as currProc | eval totalProc=(currProc+1525036) | eval search=[search source="C:\\xxxxx\\serverstatus.log" successWrite="*" | chart count as total | eval search=(total+34937175)] | rename search as totalDCM | eval percentage=round(totalProc*100/totalDCM,1) | stats sum(percentage)
Thanks again!!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
