https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424066#M121640 <P>For what you want to do (combine both the result), appendcols is not the correct command. Logically you want to join both the search result based on column rsti_thumb_print. Splunk has a join command but it's very resource intensive, so I would suggest trying this alternate solution of join, using append and stats command (also made few changes to query to apply some optimizations):</P> <PRE><CODE>index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Tue_May_29_22_06_37_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_03_45_41_2018_fvcad-jenkins-01_fvcad_ds | makemv delim="," version_vector |eval success=case((isnotnull(success) AND success="") OR success="0","FAIL",success="1","PASS", success="-1","UNFINISHED", true(),success) |makemv delim="," version_vector | stats list(actual_status) as l_status,list(success) as status ,list(version_vector) as vv by dut_id,rsti_thumb_print |search vv="*" | eval status=coalesce(status,"SCHEDULED") |stats count(eval(status=="PASS")) as pass_count count(eval(status=="FAIL")) as fail_count count(eval(status=="SCHEDULED")) as incmp_count count(eval("PASS"+"FAIL"+"SCHEDULED")) as total_count by rsti_thumb_print | append [search index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds | dedup dut_id | stats count(dut_id) as max_tests by rsti_thumb_print] | stats values(*) as * by rsti_thumb_print | eval diff=max_tests - total_count | table max_tests total_count diff rsti_thumb_print </CODE></PRE> Tue, 29 Sep 2020 19:47:13 GMT somesoni2 2020-09-29T19:47:13Z https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424063#M121637 <P>Hi, <BR /> Is there a way to only override specific fields only. When i use appendcols override=true, it is overriding all the fields having same name. <BR /> But i want to override only few fields not all. Is this possible ?<BR /> Please help me on this. </P> Wed, 30 May 2018 16:16:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424063#M121637 Maniteja81 2018-05-30T16:16:02Z https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424064#M121638 <P>If you don't want to override all the fields, in appendcols subsearch, only specify the fields that you want to override.</P> <P>There may be other/better options, which we can suggest if you could share your current full search.</P> Wed, 30 May 2018 16:26:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424064#M121638 somesoni2 2018-05-30T16:26:17Z https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424065#M121639 <P>Hi Soni,</P> <P>Here is my full search <BR /> index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Tue_May_29_22_06_37_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_03_45_41_2018_fvcad-jenkins-01_fvcad_ds | makemv delim="," version_vector |eval success=if(isnotnull(success) and success="","FAIL",success)|eval success=if(success="1","PASS",success)| eval success=if(success="0","FAIL",success) | eval success=if(success="-1","UNFINISHED",success)|makemv delim="," version_vector | stats list(actual_status) as l_status,list(success) as status ,list(version_vector) as vv by dut_id,rsti_thumb_print | eval status=if(isnull(status),"SCHEDULED",status) |search vv="*"|stats count(eval(status=="PASS")) as pass_count count(eval(status=="FAIL")) as fail_count count(eval(status=="SCHEDULED")) as incmp_count count(eval("PASS"+"FAIL"+"SCHEDULED")) as total_count by rsti_thumb_print| appendcols [search index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds | dedup dut_id | stats count(dut_id) as max_tests by rsti_thumb_print] | eval diff=max_tests - total_count | table max_tests total_count diff rsti_thumb_print</P> <P>What i'm trying to achieve from this query is, i want to do a diff on the number of the test-cases present in the golden regression to the reference regression. </P> <P>But the above query is showing difference for only regression, rest it doesn't show. I'm trying to figure out is there any way to do this. </P> Tue, 29 Sep 2020 19:47:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424065#M121639 Maniteja81 2020-09-29T19:47:10Z https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424066#M121640 <P>For what you want to do (combine both the result), appendcols is not the correct command. Logically you want to join both the search result based on column rsti_thumb_print. Splunk has a join command but it's very resource intensive, so I would suggest trying this alternate solution of join, using append and stats command (also made few changes to query to apply some optimizations):</P> <PRE><CODE>index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Tue_May_29_22_06_37_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_03_45_41_2018_fvcad-jenkins-01_fvcad_ds | makemv delim="," version_vector |eval success=case((isnotnull(success) AND success="") OR success="0","FAIL",success="1","PASS", success="-1","UNFINISHED", true(),success) |makemv delim="," version_vector | stats list(actual_status) as l_status,list(success) as status ,list(version_vector) as vv by dut_id,rsti_thumb_print |search vv="*" | eval status=coalesce(status,"SCHEDULED") |stats count(eval(status=="PASS")) as pass_count count(eval(status=="FAIL")) as fail_count count(eval(status=="SCHEDULED")) as incmp_count count(eval("PASS"+"FAIL"+"SCHEDULED")) as total_count by rsti_thumb_print | append [search index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds | dedup dut_id | stats count(dut_id) as max_tests by rsti_thumb_print] | stats values(*) as * by rsti_thumb_print | eval diff=max_tests - total_count | table max_tests total_count diff rsti_thumb_print </CODE></PRE> Tue, 29 Sep 2020 19:47:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424066#M121640 somesoni2 2020-09-29T19:47:13Z https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424067#M121641 <P>Hi Soni,</P> <P>Thanks for the query, but i wanted the max_tests value to be populated for the rest of the two fields also. If i can populate the max_tests field to the rest of the fields, i can do a subtraction on those rem fields. </P> <P>Any ideas on how to populate the rest of the fields. </P> <P><IMG src="https://community.splunk.com/storage/temp/250828-splunk-query-result.jpg" alt="alt text" /></P> Tue, 29 Sep 2020 19:44:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-override-only-specific-fields-using-appendcols/m-p/424067#M121641 Maniteja81 2020-09-29T19:44:11Z