https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610552#M14182 <P>Individual search work, but not combined. When I combined only the first one of the event pops up(first part of search), not the second.&nbsp;</P> Tue, 23 Aug 2022 20:02:41 GMT Vasu1 2022-08-23T20:02:41Z https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610449#M14177 <P>I want to create an alert if any of the files are missing, a description printout for that. But this search only gives me one event although it should give me two. In a nutshell, the second part after append is not working. Individual search work.&nbsp; Please guide. It would be greatly appreciated.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index = axway abc@gmail.com *INCL* | stats count by host | where count = 0 | eval description="File1 INCL Missing" |table description | append [search index = axway abc@gmail.com *POD* | stats count | where count = 0 | eval description="File2 POD Missing" |table description]</LI-CODE> <P>&nbsp;</P> Tue, 23 Aug 2022 23:08:52 GMT https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610449#M14177 Vasu1 2022-08-23T23:08:52Z https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610455#M14178 <P>Your search makes no sense, you cannot do</P><LI-CODE lang="markup">index = axway abc@gmail.com *INCL* | stats count by host | where count = 0 </LI-CODE><P>as this will always give you 0 results. Think about it - if you have 100 events for 2 hosts A and B then count by host will give you a count for hosts A and B. It can never give you a count for host C which has no data, so you can never get 0 for host C</P><P>If you are trying to find out if, for hosts A, B and C whether there is an event, then you need to have all your expected hosts in a lookup file and do something like</P><LI-CODE lang="markup">index = axway abc@gmail.com *INCL* | stats count by host | inputlookup append=t my_list_of_hosts | stats values(count) as count by host | fillnull count value=0 | where count = 0 | eval description="File1 INCL Missing" | table description </LI-CODE><P>this will prove the negative for the first check. Then you can do this for the second one - but you could also combine this to a single search if the hosts are the same.</P><P>Hope this helps.</P><P>&nbsp;</P> Tue, 23 Aug 2022 07:17:11 GMT https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610455#M14178 bowesmana 2022-08-23T07:17:11Z https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610547#M14180 <LI-CODE lang="markup">index = axway abc@gmail.com *INCL* | stats count | where count = 0 | eval description="File1 INCL Missing" |table description | append [search index = axway abc@gmail.com *POD* | stats count | where count = 0 | eval description="File2 POD Missing" |table description]</LI-CODE><P>Very much appreciate your reply. It should not be counted by the host. I apologize for that. Above is the search I am trying to search. All I am trying to do is combine search to alert us if any of the POD and INCL file is missing, and print the description for that search.&nbsp;</P> Tue, 23 Aug 2022 19:33:55 GMT https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610547#M14180 Vasu1 2022-08-23T19:33:55Z https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610550#M14181 <P>Above search should be working. Is it not working for you?</P> Tue, 23 Aug 2022 20:00:21 GMT https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610550#M14181 somesoni2 2022-08-23T20:00:21Z https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610552#M14182 <P>Individual search work, but not combined. When I combined only the first one of the event pops up(first part of search), not the second.&nbsp;</P> Tue, 23 Aug 2022 20:02:41 GMT https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610552#M14182 Vasu1 2022-08-23T20:02:41Z https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610554#M14183 <P>It is working for me as is (Splunk v8.2.4)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2022-08-23 at 4.04.02 PM.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/21149iEE9ED16EF000179F/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2022-08-23 at 4.04.02 PM.png" alt="Screen Shot 2022-08-23 at 4.04.02 PM.png" /></span></P> Tue, 23 Aug 2022 20:05:38 GMT https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610554#M14183 somesoni2 2022-08-23T20:05:38Z https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610566#M14184 <P>Odd, it should work. If you run this</P><LI-CODE lang="markup">index = axway abc@gmail.com *INCL* | stats count | eval description="File1 INCL Missing" | append [ search index = axway abc@gmail.com *POD* | stats count | eval description="File2 POD Missing" ]</LI-CODE><P>does it show you both rows with the count of results for each?</P> Tue, 23 Aug 2022 22:17:55 GMT https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/610566#M14184 bowesmana 2022-08-23T22:17:55Z https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/611168#M14193 <P>I need to add another part before this search to make it work, but it works the way I want. Thanks for the response guys.&nbsp;</P> Mon, 29 Aug 2022 16:34:37 GMT https://community.splunk.com/t5/Alerting/How-to-join-two-search-with-event-count/m-p/611168#M14193 Vasu1 2022-08-29T16:34:37Z