https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340714#M101041 <P>Hi guys,</P> <P>I need to do add enter 2 different fields under the same function. The first is with an ACResponse specific and i need to respect this function because I will take more information I want just different ACReponse 200</P> <PRE><CODE>| stats list(ACResponse) as ACResponse by OCId | search ACResponse!="*200*" |eval ACResponse=mvjoin(ACResponse,";") | stats count(ACResponse) </CODE></PRE> <P>But i need to research too result <CODE>Workflow="debordement_*"</CODE>, ACresponse for debordement doesn't exist (null) and add to the first result :<BR /> search: </P> <PRE><CODE>Workflow="debordement_*" |stats dc(OCId) </CODE></PRE> <P>I tried with that but the result is null .. Can you tell me what is wrong please and help me if you know how.</P> <PRE><CODE> Workflow="*tsr*" OR "go_choix_1*" |stats count(OCId) | where Workflow="debordement_*" [| stats list(ACResponse) as ACResponse by OCId | search ACResponse!="*200*"|eval ACResponse=mvjoin(ACResponse,";")| stats count(ACResponse) as ACResponse] </CODE></PRE> <P>Thanks for your answers.</P> Mon, 06 Mar 2017 16:33:11 GMT Abarny 2017-03-06T16:33:11Z https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340714#M101041 <P>Hi guys,</P> <P>I need to do add enter 2 different fields under the same function. The first is with an ACResponse specific and i need to respect this function because I will take more information I want just different ACReponse 200</P> <PRE><CODE>| stats list(ACResponse) as ACResponse by OCId | search ACResponse!="*200*" |eval ACResponse=mvjoin(ACResponse,";") | stats count(ACResponse) </CODE></PRE> <P>But i need to research too result <CODE>Workflow="debordement_*"</CODE>, ACresponse for debordement doesn't exist (null) and add to the first result :<BR /> search: </P> <PRE><CODE>Workflow="debordement_*" |stats dc(OCId) </CODE></PRE> <P>I tried with that but the result is null .. Can you tell me what is wrong please and help me if you know how.</P> <PRE><CODE> Workflow="*tsr*" OR "go_choix_1*" |stats count(OCId) | where Workflow="debordement_*" [| stats list(ACResponse) as ACResponse by OCId | search ACResponse!="*200*"|eval ACResponse=mvjoin(ACResponse,";")| stats count(ACResponse) as ACResponse] </CODE></PRE> <P>Thanks for your answers.</P> Mon, 06 Mar 2017 16:33:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340714#M101041 Abarny 2017-03-06T16:33:11Z https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340715#M101042 <P>Alright... I THINK I understand what you're trying to do. Maybe.</P> <P>I think you're trying to join two searches based on a common field.</P> <P>If that's the case, try something like this:</P> <PRE><CODE>YourSearch Workflow="*tsr*" OR "go_choix_1*" | eval ACResponse=mvjoin(ACResponse,";") | search ACResponse!="*200*" | join OCId type=outer [ AnotherSearch Workflow="debordement_*" | stats count by OCId] | stats list(ACResponse) AS ACResponse, dc(ACResponse) AS ACResponse_dcount by OCId </CODE></PRE> <P>You're doing a few different things with the stats functions in your searches, so I'm not sure exactly what your expected output is. You might need to explain a little more. Otherwise, I hope that helps.</P> Mon, 06 Mar 2017 18:06:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340715#M101042 adayton20 2017-03-06T18:06:50Z https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340716#M101043 <P>Yes, I want add this 2 differents search for give a unique number. Currently I can find every two but regardless and I want regroup for have A + B.</P> <P>I try with your solution but I find only responses different of 200 and not the call by the Workflow "debordement_*"</P> <PRE><CODE>1. MySearch Workflow="*tsr*" OR "go_choix_1*" 2. | stats list(ACResponse) as ACResponse by OCId 3. | search ACResponse!="*200*" 4. | eval ACResponse=mvjoin(ACResponse,";") 5. | join OCId type=outer [ search Workflow="debordement_*" 6. | stats count by OCId] 7. | stats list(ACResponse) AS ACResponse, dc(ACResponse) AS ACResponse_dcount by OCId 8. | stats count(ACResponse_dcount ) </CODE></PRE> Mon, 06 Mar 2017 19:42:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340716#M101043 Abarny 2017-03-06T19:42:06Z https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340717#M101044 <P>Right now your search is doing nothing but counting the unique values of <CODE>OCId</CODE> which can be done like this:</P> <PRE><CODE>... | stats dc(OCId) </CODE></PRE> Fri, 24 Mar 2017 20:51:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-2-different-fields-with-under-the-same-function/m-p/340717#M101044 woodcock 2017-03-24T20:51:23Z