First, since index=... is unique, there is not reason to add the index!=... clauses. Data in Splunk can only exist in a single index (with a single sourcetype).
So your first SPL should read:
(index=abc OR index=def) (blocked=* OR RuleAction=*)
| eval result=case(blocked=="0","Total Detection",blocked=="1","Total Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Total Detection",RuleAction=="Block","Total Blocked")
| stats count by result
You second SPL should read:
index=abc Category=* (blocked=* OR RuleAction=*)
| eval result=case(blocked=="0","Allowed",blocked=="1","Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Allowed",RuleAction=="Block","Blocked")
note: | chart count by index, result usenull=f is only going to list abc for your index, since that’s the only place data is coming from … probably not an especially useful chart command here 🙂
| append
[ search index=def (blocked=* OR RuleAction=*)
| eval result=case(blocked=="0","Allowed",blocked=="1","Blocked",blocked=="2","Would have Dropped",RuleAction=="Allow","Allowed",RuleAction=="Block","Blocked")
]
But why do the evals in the second SPL, since they’re instantly being thrown away by chart?
This would be much simpler:
((index=abc Category=*) OR index=def) (blocked=* OR RuleAction=*)
| chart count by index, result usenull=f
But what are you actually trying to accomplish with the theoretical SPL?
As it stands … you’re going to get a two-item chart indicating counts from two indices.
from User warren – Stack Overflow https://stackoverflow.com/questions/67174465/how-to-add-multile-query-in-one-query-in-splunk/67179600#67179600
via IFTTT