https://community.splunk.com/t5/Splunk-Search/how-to-combine-2-separate-queries-and-list-there-data-in-tabular/m-p/522497#M147327 <P>e.g</P><P>QUERY 1: host=jtcstcxbsswb* source="/usr/IBM/HTTPServer/logs/access*" httpmethod="GET" statuscode="200" loaninfo="/api*" OR Requestinfo="*/" OR sitename="*/LoginAccountUserName"</P><P>|eval APFields=split(loaninfo,"/")</P><P>|eval APNumOfFields=mvcount(APFields)</P><P>|eval AP2ndFromLast=mvindex(APFields,APNumOfFields-2)</P><P>|eval APLoanNumber=mvindex(APFields,6)</P><P>|eval APLast=mvindex(APFields,-1)</P><P>|search APLast="loans" OR APLast="summary" OR APLast="payments"</P><P>|timechart count(APLast), Avg(cookie) as URT&nbsp; by APLast</P><P>&nbsp;</P><P>Query 2 :sourcetype=apigee:digit* host=JTCLSGLAPGERT* APIProduct=*-Authenticated-Product<BR />|timechart span=5m distinct_count(LoginAccountUserName)<BR /><BR /></P><P>i want something like this</P><P>&nbsp;</P><P>host=jtcstcxbsswb* source="/usr/IBM/HTTPServer/logs/access*" httpmethod="GET" statuscode="200" loaninfo="/api*"&nbsp;</P><P>|eval APFields=split(loaninfo,"/")</P><P>|eval APNumOfFields=mvcount(APFields)</P><P>|eval AP2ndFromLast=mvindex(APFields,APNumOfFields-2)</P><P>|eval APLoanNumber=mvindex(APFields,6)</P><P>|eval APLast=mvindex(APFields,-1)</P><P>|search APLast="loans" OR APLast="summary" OR APLast="payments"</P><P>|stats count(APLast), Avg(cookie) as URT&nbsp; by APLast</P><P>|append [search sourcetype=apigee:digit* host=JTCLSGLAPGERT* APIProduct=*-Authenticated-Product<BR />|timechart span=5m distinct_count(LoginAccountUserName) ]<BR />&nbsp;|bin _time|stats count(APLast), Avg(cookie) as URT ,distinct_count(LoginAccountUserName) by APLast</P><P><BR />I am able to get the data&nbsp; as&nbsp;<BR />Time&nbsp; | count(APLAST) | URT | LoginAccountUserName (I see only zero values in&nbsp;LoginAccountUserName)</P><P><BR />how to fetch the LoginAccountUserName data from 2nd query and list it here.</P> Thu, 01 Oct 2020 14:03:16 GMT Aps17 2020-10-01T14:03:16Z https://community.splunk.com/t5/Splunk-Search/how-to-combine-2-separate-queries-and-list-there-data-in-tabular/m-p/522497#M147327 <P>e.g</P><P>QUERY 1: host=jtcstcxbsswb* source="/usr/IBM/HTTPServer/logs/access*" httpmethod="GET" statuscode="200" loaninfo="/api*" OR Requestinfo="*/" OR sitename="*/LoginAccountUserName"</P><P>|eval APFields=split(loaninfo,"/")</P><P>|eval APNumOfFields=mvcount(APFields)</P><P>|eval AP2ndFromLast=mvindex(APFields,APNumOfFields-2)</P><P>|eval APLoanNumber=mvindex(APFields,6)</P><P>|eval APLast=mvindex(APFields,-1)</P><P>|search APLast="loans" OR APLast="summary" OR APLast="payments"</P><P>|timechart count(APLast), Avg(cookie) as URT&nbsp; by APLast</P><P>&nbsp;</P><P>Query 2 :sourcetype=apigee:digit* host=JTCLSGLAPGERT* APIProduct=*-Authenticated-Product<BR />|timechart span=5m distinct_count(LoginAccountUserName)<BR /><BR /></P><P>i want something like this</P><P>&nbsp;</P><P>host=jtcstcxbsswb* source="/usr/IBM/HTTPServer/logs/access*" httpmethod="GET" statuscode="200" loaninfo="/api*"&nbsp;</P><P>|eval APFields=split(loaninfo,"/")</P><P>|eval APNumOfFields=mvcount(APFields)</P><P>|eval AP2ndFromLast=mvindex(APFields,APNumOfFields-2)</P><P>|eval APLoanNumber=mvindex(APFields,6)</P><P>|eval APLast=mvindex(APFields,-1)</P><P>|search APLast="loans" OR APLast="summary" OR APLast="payments"</P><P>|stats count(APLast), Avg(cookie) as URT&nbsp; by APLast</P><P>|append [search sourcetype=apigee:digit* host=JTCLSGLAPGERT* APIProduct=*-Authenticated-Product<BR />|timechart span=5m distinct_count(LoginAccountUserName) ]<BR />&nbsp;|bin _time|stats count(APLast), Avg(cookie) as URT ,distinct_count(LoginAccountUserName) by APLast</P><P><BR />I am able to get the data&nbsp; as&nbsp;<BR />Time&nbsp; | count(APLAST) | URT | LoginAccountUserName (I see only zero values in&nbsp;LoginAccountUserName)</P><P><BR />how to fetch the LoginAccountUserName data from 2nd query and list it here.</P> Thu, 01 Oct 2020 14:03:16 GMT https://community.splunk.com/t5/Splunk-Search/how-to-combine-2-separate-queries-and-list-there-data-in-tabular/m-p/522497#M147327 Aps17 2020-10-01T14:03:16Z https://community.splunk.com/t5/Splunk-Search/how-to-combine-2-separate-queries-and-list-there-data-in-tabular/m-p/522517#M147328 <P>Looking at the last bits of the merged query</P><LI-CODE lang="markup">|stats count(APLast), Avg(cookie) as URT by APLast |append [search sourcetype=apigee:digit* host=JTCLSGLAPGERT* APIProduct=*-Authenticated-Product |timechart span=5m distinct_count(LoginAccountUserName) ] |bin _time |stats count(APLast), Avg(cookie) as URT ,distinct_count(LoginAccountUserName) by APLast</LI-CODE><P>we see that before the <FONT face="courier new,courier">append</FONT> we have results containing fields APLast, count(APLast), and URT.</P><P>The <FONT face="courier new,courier">append</FONT> command produces additional results with fields _time, and distinct_count(LoginAccountUserName).</P><P>The final <FONT face="courier new,courier">stats</FONT> command then attempts to blend the two sets of results by the APLast field. but cannot do so because <FONT face="courier new,courier">append</FONT> did not return a field by that name.</P><P>The <FONT face="courier new,courier">bin_time</FONT> command is wasted since the final <FONT face="courier new,courier">stats</FONT> command does not use _time.</P><P>I hope that explains why you're not getting the expected results.&nbsp; I can't offer a solution to the problem because I don't know your data well enough to determine how to relate LoginAccountUserName to anything else.</P> Thu, 01 Oct 2020 14:54:05 GMT https://community.splunk.com/t5/Splunk-Search/how-to-combine-2-separate-queries-and-list-there-data-in-tabular/m-p/522517#M147328 richgalloway 2020-10-01T14:54:05Z