get count of subsearch and main search

sree6494 · ‎05-15-2020

Iam trying to get a inner join result which looks some thing like if there are 100 unique fields from subsearch, I want to confirm if each field is present in the main search and get the count if presents. get count of subsearch and main search.

to4kawa · ‎05-19-2020

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m 
| eval flag="DR"]
| stats count by flag

how about this?

sree6494 · ‎05-19-2020

this is great, but the subsearch results aren't a subset of the main search results(based on the MessageID field), which is the challenge

to4kawa · ‎05-19-2020

I have no idea what log you want to count.

my answer result:

flag count
DR  xxx
SMS XXX

comparison:

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m 
| eval flag="DR"]
| stats count(eval(flag="SMS"))) as SMS count(eval(flag="DR"))) as DR
| eval compare = DR -SMS

this result:

DR  SMS compare
XXX YYY ZZ

to4kawa · ‎05-16-2020

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join

sree6494 · ‎05-18-2020

index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| join type=inner MessageID [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m ]

here Im getting the results from my main search and mapping it with sub search. I am wondering how the count can be calculated for main search results and count for the join results.

sree6494 · ‎05-18-2020

to4kawa - Iam able to do the inner join but struggling with getting the count. Are you suggesting the alternatives of join statement for this purpose?

get count of subsearch and main search

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases