https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469376#M132088 <P>Hi,</P> <P>I wanted to search result as count from two log statements.<BR /> one log statement has value "...Out of stock ..." <BR /> and another log statement has "DF Suppressed"<BR /> I wanted to get count of these two for transaction for past 10 days. Each log statement prints with a transactionId.</P> <P>This is the one I have for only one item<BR /> index=idp_* "DF Suppressed" | dedup x_TraceId | stats count as DF_Supress_count | where DF_Supress_count&gt;0</P> <P>But I want to include "Out of stock" to the query</P> Wed, 30 Sep 2020 02:45:00 GMT mahenderj 2020-09-30T02:45:00Z https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469376#M132088 <P>Hi,</P> <P>I wanted to search result as count from two log statements.<BR /> one log statement has value "...Out of stock ..." <BR /> and another log statement has "DF Suppressed"<BR /> I wanted to get count of these two for transaction for past 10 days. Each log statement prints with a transactionId.</P> <P>This is the one I have for only one item<BR /> index=idp_* "DF Suppressed" | dedup x_TraceId | stats count as DF_Supress_count | where DF_Supress_count&gt;0</P> <P>But I want to include "Out of stock" to the query</P> Wed, 30 Sep 2020 02:45:00 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469376#M132088 mahenderj 2020-09-30T02:45:00Z https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469377#M132089 <P>Maybe something like this:</P> <PRE><CODE>index=idp_* ("DF Suppressed" OR "Out of stock") transactionId=* | rex field=_raw ".+(?&lt;dfsuppressed&gt;DF Suppressed)" | rex field=_raw ".+(?&lt;outofstock&gt;Out of stock)" | stats count(outofstock) as oosCount count(dfsuppressed) as dfsCount by transactionId </CODE></PRE> <P>Add additional filtering later - for example:</P> <PRE><CODE>| where dfsCount&gt;0 AND oosCount&gt;0 </CODE></PRE> <P>...or whatever else you might like.</P> <P>This will create two new fields - <CODE>dfsuppressed</CODE> and <CODE>outofstock</CODE> - which will either have the text you're looking for in them, or be null.</P> Thu, 24 Oct 2019 22:14:11 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469377#M132089 wmyersas 2019-10-24T22:14:11Z https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469378#M132090 <P>Thanks for your answer. <BR /> Your search criteria ran without any errors but I see only Out of Stock(oosCount ) counts and 0 count for dfsCount.</P> Fri, 25 Oct 2019 03:47:08 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469378#M132090 mahenderj 2019-10-25T03:47:08Z https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469379#M132091 <P>Add a <CODE>|fillnull</CODE> between the second <CODE>| rex</CODE> line and the <CODE>| stats</CODE> thusly:</P> <PRE><CODE>index=idp_* ("DF Suppressed" OR "Out of stock") transactionId=* | rex field=_raw ".+(?&lt;dfsuppressed&gt;DF Suppressed)" | rex field=_raw ".+(?&lt;outofstock&gt;Out of stock)" | fillnull | stats count(outofstock) as oosCount count(dfsuppressed) as dfsCount by transactionId </CODE></PRE> <P>You may have events where one or the other of the <CODE>rex</CODE> lines isn't pulling an actual value, so it's getting null. Adding a <CODE>| fillnull</CODE> will put the value of <CODE>0</CODE> in any otherwise-null fields.</P> <P>Also, make sure that the <EM>exact</EM> text is correct on the <CODE>rex</CODE> lines (eg <CODE>"Out of stock"</CODE> vs <CODE>"Out Of Stock"</CODE>)</P> Wed, 30 Oct 2019 21:52:15 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-result-from-two-log-statements/m-p/469379#M132091 wmyersas 2019-10-30T21:52:15Z