https://community.splunk.com/t5/Alerting/Compare-two-Splunk-Alert-search-with-same-time-span/m-p/576131#M13270 <P>Dear Professor,</P><P>I have two alert search like this</P><P>1. Search 1:</P><P>index="abc" sourcetype="abc" service.name=financing request.method="POST" request.uri="*/applications" response.status="200"<BR />|timechart span=2m count as applicaton_today<BR />|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")<BR />|eval yesterday_time=strftime(_time,"%H:%M")<BR />|fields _time,yesterday_time,applicaton_today</P><P>And here is output</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="1.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16983i5D81650CDCE3EA4E/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span>2. Search 2:</P><P>index="xyz" sourcetype="xyz" "Application * sent to xyz success"<BR />|timechart span=2m count as omni_today<BR />|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")<BR />|eval yesterday_time=strftime(_time,"%H:%M")<BR />|fields _time,yesterday_time,omni_today</P><P>And here is output</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16984iD20126A3FB83E172/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P><P>&nbsp;3. I try to combine two search like this then calculate spike.</P><P>index="abc" sourcetype="abc" service.name=financing request.method="POST" request.uri="*/applications" response.status="200"<BR />|timechart span=2m count as app_today<BR />|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")<BR />|eval yesterday_time=strftime(_time,"%H:%M")<BR />| append [search index="xyz" sourcetype="xyz" "Application * sent to xyz"<BR />| timechart span=2m count as omni_today]<BR />|fields _time,yesterday_time,app_today,omni_today<BR />|eval spike=if(omni_today &lt; app_today AND _time &lt;= now() - 3*60 AND _time &gt;= relative_time(now(),"@d") + 7.5*3600, 1, 0)</P><P>Here is output</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16987i23FE3F33D5AA9E6A/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P><P>&nbsp;But it shows two time span (like image).&nbsp;</P><P>How can I combine two search with only time span like this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="4.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16989i8B23904904D4CB73/image-size/large?v=v2&amp;px=999" role="button" title="4.PNG" alt="4.PNG" /></span></P><P>&nbsp;</P><P>Thank you for your help.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 24 Nov 2021 07:13:05 GMT lamnguyentt1 2021-11-24T07:13:05Z https://community.splunk.com/t5/Alerting/Compare-two-Splunk-Alert-search-with-same-time-span/m-p/576131#M13270 <P>Dear Professor,</P><P>I have two alert search like this</P><P>1. Search 1:</P><P>index="abc" sourcetype="abc" service.name=financing request.method="POST" request.uri="*/applications" response.status="200"<BR />|timechart span=2m count as applicaton_today<BR />|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")<BR />|eval yesterday_time=strftime(_time,"%H:%M")<BR />|fields _time,yesterday_time,applicaton_today</P><P>And here is output</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="1.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16983i5D81650CDCE3EA4E/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span>2. Search 2:</P><P>index="xyz" sourcetype="xyz" "Application * sent to xyz success"<BR />|timechart span=2m count as omni_today<BR />|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")<BR />|eval yesterday_time=strftime(_time,"%H:%M")<BR />|fields _time,yesterday_time,omni_today</P><P>And here is output</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16984iD20126A3FB83E172/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P><P>&nbsp;3. I try to combine two search like this then calculate spike.</P><P>index="abc" sourcetype="abc" service.name=financing request.method="POST" request.uri="*/applications" response.status="200"<BR />|timechart span=2m count as app_today<BR />|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")<BR />|eval yesterday_time=strftime(_time,"%H:%M")<BR />| append [search index="xyz" sourcetype="xyz" "Application * sent to xyz"<BR />| timechart span=2m count as omni_today]<BR />|fields _time,yesterday_time,app_today,omni_today<BR />|eval spike=if(omni_today &lt; app_today AND _time &lt;= now() - 3*60 AND _time &gt;= relative_time(now(),"@d") + 7.5*3600, 1, 0)</P><P>Here is output</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16987i23FE3F33D5AA9E6A/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P><P>&nbsp;But it shows two time span (like image).&nbsp;</P><P>How can I combine two search with only time span like this.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="4.PNG" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/16989i8B23904904D4CB73/image-size/large?v=v2&amp;px=999" role="button" title="4.PNG" alt="4.PNG" /></span></P><P>&nbsp;</P><P>Thank you for your help.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 24 Nov 2021 07:13:05 GMT https://community.splunk.com/t5/Alerting/Compare-two-Splunk-Alert-search-with-same-time-span/m-p/576131#M13270 lamnguyentt1 2021-11-24T07:13:05Z https://community.splunk.com/t5/Alerting/Compare-two-Splunk-Alert-search-with-same-time-span/m-p/576141#M13271 <P>Well. You simply asked splunk to append results of one search to results of another search. So splunk did it - took rows of results from one search and "glued" them to the end of another search.</P><P>You could further transform combined results but it's better to start off without the append in the first place. (subsearches have their own limits and can trigger some tricky behaviour).</P><P>Since you're doing mostly same thing with two sets of result data, you can just get all your events amd then calculate separate stats for both kinds of events.</P><PRE>(index="abc" sourcetype="abc" service.name=financing request.method="POST" request.uri="*/applications" response.status="200") OR ( index="xyz" sourcetype="xyz" "Application * sent to xyz")<BR />|timechart span=2m count(eval(sourcetype="abc")) as app_today count(eval(sourcetype="xyz")) as omni_today<BR />|eval mytime=strftime(_time,"%Y-%m-%dT%H:%M")<BR />|eval yesterday_time=strftime(_time,"%H:%M")<BR />|fields _time,yesterday_time,app_today,omni_today<BR />|eval spike=if(omni_today &lt; app_today AND _time &lt;= now() - 3*60 AND _time &gt;= relative_time(now(),"@d") + 7.5*3600, 1, 0)</PRE><P>&nbsp;</P> Wed, 24 Nov 2021 08:21:09 GMT https://community.splunk.com/t5/Alerting/Compare-two-Splunk-Alert-search-with-same-time-span/m-p/576141#M13271 PickleRick 2021-11-24T08:21:09Z https://community.splunk.com/t5/Alerting/Compare-two-Splunk-Alert-search-with-same-time-span/m-p/576146#M13272 <P>Thank you for your help.</P><P>With my way, it's really easy by change "append" to "appendcols".&nbsp;</P> Wed, 24 Nov 2021 08:31:08 GMT https://community.splunk.com/t5/Alerting/Compare-two-Splunk-Alert-search-with-same-time-span/m-p/576146#M13272 lamnguyentt1 2021-11-24T08:31:08Z