https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367983#M108472 <P>you need to provide more information<BR /> please give examples of the events you're searching and explain what counts you want </P> Tue, 20 Mar 2018 12:50:43 GMT kmaron 2018-03-20T12:50:43Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367979#M108468 <P>i want to do three different search in same page for time span is 3 month<BR /> i need a alert to be configured</P> Tue, 20 Mar 2018 09:52:35 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367979#M108468 logloganathan 2018-03-20T09:52:35Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367980#M108469 <P>any update?</P> Tue, 20 Mar 2018 10:50:12 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367980#M108469 logloganathan 2018-03-20T10:50:12Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367981#M108470 <P>Can you please provide more information.<BR /> What are you searching for? What are your searches? Is this a dashboard? What do you want to alert on?</P> Tue, 20 Mar 2018 12:29:29 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367981#M108470 kmaron 2018-03-20T12:29:29Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367982#M108471 <P>no its not dashboard i want to do search to find 3 data count..all are different.<BR /> is there any way to do that apart from dashboard?</P> Tue, 20 Mar 2018 12:48:18 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367982#M108471 logloganathan 2018-03-20T12:48:18Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367983#M108472 <P>you need to provide more information<BR /> please give examples of the events you're searching and explain what counts you want </P> Tue, 20 Mar 2018 12:50:43 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367983#M108472 kmaron 2018-03-20T12:50:43Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367984#M108473 <P>yes..<BR /> index=A sourectype=B "XXX" | stats count by XXX<BR /> index=A sourectype=B "YYY" | stats count by YYY<BR /> index=A sourectype=B "ZZZ" | stats count by ZZZ</P> <P>i want these three table in one page and alert configured for this</P> Tue, 20 Mar 2018 13:00:14 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367984#M108473 logloganathan 2018-03-20T13:00:14Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367985#M108474 <P>Is your alert depend on output of 3 different searches? Can you share your searches and alert conditions ?</P> Tue, 20 Mar 2018 13:01:00 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367985#M108474 p_gurav 2018-03-20T13:01:00Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367986#M108475 <P>did you try using<CODE>append</CODE> command?</P> <PRE><CODE>index=A sourectype=B "XXX" | stats count by XXX |append [search index=A sourectype=B "YYY" | stats count by YYY] | append [search index=A sourectype=B "ZZZ" | stats count by ZZZ] </CODE></PRE> Tue, 20 Mar 2018 13:05:18 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367986#M108475 p_gurav 2018-03-20T13:05:18Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367987#M108476 <P>thanks..please post this in answer tab</P> Tue, 20 Mar 2018 15:05:26 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367987#M108476 logloganathan 2018-03-20T15:05:26Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367988#M108477 <P>@logloganathan you should explore the <A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch">multisearch</A> command which is not restricted by sub-search limitations</P> <PRE><CODE>| multisearch [search index=A sourcetype=B XXX=*] [search index=A sourcetype=B YYY=*] [search index=A sourcetype=B ZZZ=*] | stats count by XXX YYY ZZZ </CODE></PRE> <P>However, Splunk has numerous <A href="http://docs.splunk.com/Documentation/Splunk/latest/Search/Abouteventcorrelation">event grouping and correlation</A> mechanisms based on the Use Cases and we can not always apply any one of the correlation mechanism for all the scenarios.</P> <P>So you should elaborate on what exactly is your use case. If you are planning to pull 3 months of data to create an alert, could you rely on summary indexing instead? Community would be able to assist you better you add more context to your questions like what is your use case, what does your data look like? What have you tried so far and what does not seem to work?</P> <P>I dont think a doctor should treat patient based on hunch rather the cure should be based upon symptoms!!! So for us to help you better add as much of details as possible to your questions <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 20 Mar 2018 18:26:24 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367988#M108477 niketn 2018-03-20T18:26:24Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367989#M108478 <P>I can provide only example use cases..i can't provide organization data..i already provided example query I just need output for that and i got it from you..thanks for that</P> Wed, 21 Mar 2018 07:10:58 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367989#M108478 logloganathan 2018-03-21T07:10:58Z https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367990#M108479 <P>I am glad you are able to resolve the issue that you are facing. Yes we understand that organization data can not be published on public forums, however, usually request here on Splunk Answers is for mocked/anonymized data. In fact most of the times if sensitive information is posted accidentally by folks, community moderators do reach out to them for masking/anonymizing the same.</P> <P>Following is an example of anonymized data in similar format to how original event might have triggered in the system, but without revealing any sensitive information.</P> <PRE><CODE>2017/01/12 08:09:04.325 AM [ERROR] Login failed for abc@def.com on server servername01@domain.com. </CODE></PRE> <P>Having said that I am still curious on the use case for pulling 3 months data for an alert. It is up to you whether you want to post the use case or not since your issue is already resolved! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 22 Mar 2018 06:18:37 GMT https://community.splunk.com/t5/Splunk-Search/three-search-in-same-page-with-alert-and-time-span-3-month/m-p/367990#M108479 niketn 2018-03-22T06:18:37Z