{"id":34924,"date":"2021-04-20T13:13:33","date_gmt":"2021-04-20T13:13:33","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=34924"},"modified":"2021-04-20T13:13:33","modified_gmt":"2021-04-20T13:13:33","slug":"answer-by-warren-for-how-to-add-multile-query-in-one-query-in-splunk","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=34924","title":{"rendered":"Answer by warren for How to add multile query in one query in splunk"},"content":{"rendered":"<p>First, since <code>index=...<\/code> is unique, there is not reason to add the <code>index!=...<\/code> clauses. Data in Splunk can only exist in a single index (with a single sourcetype).<\/p>\n<p>So your first SPL should read:<\/p>\n<pre><code>(index=abc OR index=def) (blocked=* OR RuleAction=*)\n| eval result=case(blocked==&quot;0&quot;,&quot;Total Detection&quot;,blocked==&quot;1&quot;,&quot;Total Blocked&quot;,blocked==&quot;2&quot;,&quot;Would have Dropped&quot;,RuleAction==&quot;Allow&quot;,&quot;Total Detection&quot;,RuleAction==&quot;Block&quot;,&quot;Total Blocked&quot;)\n| stats count by result\n<\/code><\/pre>\n<p>You second SPL should read:<\/p>\n<pre><code>index=abc Category=* (blocked=* OR RuleAction=*)\n| eval result=case(blocked==&quot;0&quot;,&quot;Allowed&quot;,blocked==&quot;1&quot;,&quot;Blocked&quot;,blocked==&quot;2&quot;,&quot;Would have Dropped&quot;,RuleAction==&quot;Allow&quot;,&quot;Allowed&quot;,RuleAction==&quot;Block&quot;,&quot;Blocked&quot;)\n<\/code><\/pre>\n<p>note: <code>| chart count by index, result usenull=f<\/code> is <em><strong>only<\/strong><\/em> going to list <code>abc<\/code> for your index, since that&#8217;s the only place data is coming from &#8230; probably not an especially <em>useful<\/em> <code>chart<\/code> command here \ud83d\ude42<\/p>\n<pre><code>| append\n    [ search index=def (blocked=* OR RuleAction=*)\n    | eval result=case(blocked==&quot;0&quot;,&quot;Allowed&quot;,blocked==&quot;1&quot;,&quot;Blocked&quot;,blocked==&quot;2&quot;,&quot;Would have Dropped&quot;,RuleAction==&quot;Allow&quot;,&quot;Allowed&quot;,RuleAction==&quot;Block&quot;,&quot;Blocked&quot;)\n    ]\n<\/code><\/pre>\n<p>But why do the <code>eval<\/code>s in the second SPL, since they&#8217;re instantly being thrown away by <code>chart<\/code>?<\/p>\n<p>This would be much simpler:<\/p>\n<pre><code>((index=abc Category=*) OR index=def) (blocked=* OR RuleAction=*)\n| chart count by index, result usenull=f\n<\/code><\/pre>\n<p>But what are you <em>actually<\/em> trying to accomplish with the theoretical SPL?<\/p>\n<p>As it stands &#8230; you&#8217;re going to get a two-item <code>chart<\/code> indicating counts from two indices.<\/p>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/67174465\/how-to-add-multile-query-in-one-query-in-splunk\/67179600#67179600<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>First, since index=&#8230; is unique, there is not reason to add the index!=&#8230; clauses. Data in Splunk can only exist in a single index (with a single sourcetype). So your first SPL should read: (index=abc OR index=def) (blocked=* OR RuleAction=*) | eval result=case(blocked==&quot;0&quot;,&quot;Total Detection&quot;,blocked==&quot;1&quot;,&quot;Total Blocked&quot;,blocked==&quot;2&quot;,&quot;Would have Dropped&quot;,RuleAction==&quot;Allow&quot;,&quot;Total Detection&quot;,RuleAction==&quot;Block&quot;,&quot;Total Blocked&quot;) | stats count by result You &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=34924\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for How to add multile query in one query in splunk<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-34924","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/34924","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=34924"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/34924\/revisions"}],"predecessor-version":[{"id":34925,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/34924\/revisions\/34925"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=34924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=34924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=34924"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=34924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}