https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509097#M142246 <P>Team,</P><P>&nbsp;</P><P>Need help to build a dashboard .</P><P>WH.csv content</P><P>XXX</P><P>YYY</P><P>I want to search in two different sources but wanna use the same variable from inputlookup variable.</P><P>&nbsp;</P><P>existing Query</P><P>| inputlookup WH.csv<BR />| table ware_house<BR />| map search="search index=wh source=$ware_house$_WH_OVERVIEW| head 1<BR />| stats list(Routes) AS ROUTE list(source) AS WH | appendcols [ search index=wh source=$ware_house$_WH_SHIPPING | head 5 | stats list(LabelsCreated) AS LabelsCreated by LabelType | stats sum(LabelsCreated) AS SUMMARY ] "</P><P>&nbsp;</P><P>Issue : second search is not getting the variable $ware_house$ so it does not return any result.<BR /><BR />As soon as the base search work would like to add it in the Dashboard.</P><P>&nbsp;</P> Tue, 14 Jul 2020 16:27:10 GMT kiragsplunk 2020-07-14T16:27:10Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509097#M142246 <P>Team,</P><P>&nbsp;</P><P>Need help to build a dashboard .</P><P>WH.csv content</P><P>XXX</P><P>YYY</P><P>I want to search in two different sources but wanna use the same variable from inputlookup variable.</P><P>&nbsp;</P><P>existing Query</P><P>| inputlookup WH.csv<BR />| table ware_house<BR />| map search="search index=wh source=$ware_house$_WH_OVERVIEW| head 1<BR />| stats list(Routes) AS ROUTE list(source) AS WH | appendcols [ search index=wh source=$ware_house$_WH_SHIPPING | head 5 | stats list(LabelsCreated) AS LabelsCreated by LabelType | stats sum(LabelsCreated) AS SUMMARY ] "</P><P>&nbsp;</P><P>Issue : second search is not getting the variable $ware_house$ so it does not return any result.<BR /><BR />As soon as the base search work would like to add it in the Dashboard.</P><P>&nbsp;</P> Tue, 14 Jul 2020 16:27:10 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509097#M142246 kiragsplunk 2020-07-14T16:27:10Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509116#M142250 <P>How did you verify the token is not getting passed into the <FONT face="courier new,courier">map</FONT> command?</P><P>Have you tried using the concatenation operator?</P><LI-CODE lang="markup">| inputlookup WH.csv | table ware_house | map search="search index=wh source=$ware_house$."_WH_OVERVIEW" | head 1 | stats list(Routes) AS ROUTE list(source) AS WH | appendcols [ search index=wh source=$ware_house$."_WH_SHIPPING" | head 5 | stats list(LabelsCreated) AS LabelsCreated by LabelType | stats sum(LabelsCreated) AS SUMMARY ] "</LI-CODE><P>Also, I think the subsearch to <FONT face="courier new,courier">appendcols</FONT> won't work.&nbsp; The second <FONT face="courier new,courier">stats</FONT> command is trying to add up a multi-value field, which it probably won't do.</P> Tue, 14 Jul 2020 18:26:30 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509116#M142250 richgalloway 2020-07-14T18:26:30Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509132#M142256 <P>Thanks Rich,</P><P>Could you please recommend any search string to accomplish this. as you said appendcols not working in map.&nbsp; if I manually assign value (XXX_WH_OVERVIEW &amp; XXX_WH_SHIPPING) works fine. whats the best approach do you recommend?</P> Tue, 14 Jul 2020 20:00:31 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509132#M142256 kiragsplunk 2020-07-14T20:00:31Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509134#M142258 <P>I ran the query manually to validate the second string.. it would be great if I get this fixed in search..</P> Tue, 14 Jul 2020 20:12:33 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509134#M142258 kiragsplunk 2020-07-14T20:12:33Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509139#M142259 <P>Let's break the query up, get the pieces working, then put them together.&nbsp; Do these two searches produce the expected results?</P><LI-CODE lang="markup">index=wh [ | inputlookup WH.csv | eval source=ware_house . "_WH_OVERVIEW" | fields source | format ] | head 1 | stats list(Routes) AS ROUTE list(source) AS WH by source</LI-CODE><P>&nbsp;</P><LI-CODE lang="markup">index=wh [ | inputlookup WH.csv | eval source=ware_house . "_WH_SHIPPING" | fields source | format ] | head 5 | stats list(LabelsCreated) AS LabelsCreated by LabelType | stats sum(LabelsCreated) AS SUMMARY</LI-CODE> Tue, 14 Jul 2020 20:58:18 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509139#M142259 richgalloway 2020-07-14T20:58:18Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509332#M142332 <P>I am getting expected results in both search, could you please help me to append it, if I append the results I am getting time&nbsp; range Error and no results found.&nbsp;</P> Wed, 15 Jul 2020 15:06:49 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509332#M142332 kiragsplunk 2020-07-15T15:06:49Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509354#M142341 We've verified each subsearch works. Good.<BR />Now the problem is how to combine them. To correlate the events from each subsearch, there must be something in common between them. I see no commonality, but I'm not familiar with the data. Do the subsearches share a field? Wed, 15 Jul 2020 16:53:40 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509354#M142341 richgalloway 2020-07-15T16:53:40Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509404#M142360 <P>No common in between.. those are two different sources from the same index.&nbsp; I&nbsp; don't see any common field in between both search. ( except the index)</P> Wed, 15 Jul 2020 20:54:32 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509404#M142360 kiragsplunk 2020-07-15T20:54:32Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509426#M142372 That's a big stumbling block. The lack of something in common means Splunk has nothing to use to pair up events from each search. Thu, 16 Jul 2020 00:25:49 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509426#M142372 richgalloway 2020-07-16T00:25:49Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509510#M142397 <P>May I use a python script to run each query separately then combine the results to a csv .</P><P>&nbsp;</P><P>that results can be viewed is Dashboard right? Please advise.</P> Thu, 16 Jul 2020 13:10:52 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509510#M142397 kiragsplunk 2020-07-16T13:10:52Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509537#M142409 I'm not sure how a python script would merge the results, but I suppose it's possible. The resulting CSV file could then be displayed by a dashboard. Thu, 16 Jul 2020 14:33:12 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-combine-inputlookup-and-map-search-for-two-sources/m-p/509537#M142409 richgalloway 2020-07-16T14:33:12Z