topic Combine 2 Splunk queries in Splunk Search

Combine 2 Splunk queries

nishil — Fri, 05 Aug 2011 16:10:29 GMT

I have 2 splunk searches:

First:

This extracts whats the URLs in column 10 and unique counts the URLs

sourcetype=hwa_other source=/var/tomcat/servers/HAP01/logs/tomcat_access*.log | rex field=_raw "(?i)^(?:[^ ]* ){10}(?P<URL>[^ ]+)" | stats count by URL

Second:

This counts the occurences of dealswidget or hotelquerywidget

sourcetype=hwa_other source=/var/tomcat/servers/HAP01/logs/tomcat_access*.log "dealswidget" OR "hotelquerywidget" | rex "(?<myword>dealswidget|hotelquerywidget)" | stats count by myword

Now i would like to combine the two serches so that i get a count of dealswidget" OR hotelquerywidget (from the second search) and then a count of unique URLs (from the first search).

Any ideas? Simply piping one search to the other dont work.

Thanks for the assitance.

Re: Combine 2 Splunk queries

Ledion_Bitincka — Fri, 05 Aug 2011 21:05:01 GMT

You can use the append search command as follows:

..... | stats count BY URL | append [..... | stats count BY myword]

Re: Combine 2 Splunk queries

jrwilk01 — Fri, 05 Aug 2011 21:22:49 GMT

I'm not completly sure I understand what you are asking for, but I have an idea. If I miss, post a mocked up example of what you expect your results table to look like.

I think you are looking for the "append" search command.

Try this:

sourcetype=hwa_other source=/var/tomcat/servers/HAP01/logs/tomcat_access*.log "dealswidget" OR "hotelquerywidget" | rex "(?<myword>dealswidget|hotelquerywidget)" | stats count by myword | append [sourcetype=hwa_other source=/var/tomcat/servers/HAP01/logs/tomcat_access.log | rex field=_raw "(?i)^(?:[^ ] ){10}(?P<url>[^ ]+)" | stats count by URL]

Re: Combine 2 Splunk queries

alancalvitti — Tue, 02 Jul 2019 16:05:27 GMT

When the prefix query ( .....) is long, is there a way to assign that to an identifier so it can be referenced more than once?