https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391007#M113814 <P>try this:</P> <PRE><CODE>(index="indexsplunk" host=host* tag="Failure" "Transaction" ) OR (index="indexsplunk" host=host* tag="ABCD" "EFGH") | stats count(eval(tag=="Failure")) as fail_count count(eval(tag=="ABCD")) as adcd_count </CODE></PRE> Wed, 17 Jul 2019 23:14:29 GMT adonio 2019-07-17T23:14:29Z https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391005#M113812 <P>index="indexsplunk" host=host* tag="<EM>Failure</EM>" "Transaction" | stats count as Total<BR /> |append [search index="indexsplunk" host=host* tag="<EM>Failure</EM>" "EFGH" | stats count as Total]</P> <P>Right now, output is displaying in 2 rows, since I append so one more row added for 2nd search. Please help me getting the data populated in one field and also suggest how to add the date while searching.</P> Wed, 17 Jul 2019 15:52:02 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391005#M113812 krsuraj11 2019-07-17T15:52:02Z https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391006#M113813 <P>Do the two rows have anything in common?</P> Wed, 17 Jul 2019 16:50:24 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391006#M113813 grittonc 2019-07-17T16:50:24Z https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391007#M113814 <P>try this:</P> <PRE><CODE>(index="indexsplunk" host=host* tag="Failure" "Transaction" ) OR (index="indexsplunk" host=host* tag="ABCD" "EFGH") | stats count(eval(tag=="Failure")) as fail_count count(eval(tag=="ABCD")) as adcd_count </CODE></PRE> Wed, 17 Jul 2019 23:14:29 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391007#M113814 adonio 2019-07-17T23:14:29Z https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391008#M113815 <P>Yes, Index, Host and Tag are common, please help </P> Thu, 18 Jul 2019 07:32:48 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391008#M113815 krsuraj11 2019-07-18T07:32:48Z https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391009#M113816 <P>Hi, it gives me the 0 result, actually tag is common for both, can you please check again.</P> Thu, 18 Jul 2019 07:34:08 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391009#M113816 krsuraj11 2019-07-18T07:34:08Z https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391010#M113817 <P>try and use this formula, here i use wild cards in eval <CODE>%Fail%</CODE> you might not need.</P> <P>| makeresults count=1000<BR /> | eval random_for_text = random()%2<BR /> | eval text_to_search = if(random_for_text=="0","Failure","EFGH")<BR /> | stats count(eval(like(text_to_search,"%Fail%"))) as fail_count count(eval(like(text_to_search, "%EF%"))) as efgh_count</P> <P>in your case itll be maybe something like this:<BR /> index="indexsplunk" host=host* tag="Failure" "Transaction" ("Failure" OR "EFGH")<BR /> | stats count(eval(like(_raw,"Failure"))) as fail_count count(eval(like(_raw, "EFGH"))) as efgh_count<BR /> hope it helps</P> Wed, 30 Sep 2020 01:20:10 GMT https://community.splunk.com/t5/Splunk-Search/I-want-to-merge-my-data-into-single-row-also-I-want-to-add-the/m-p/391010#M113817 adonio 2020-09-30T01:20:10Z