https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/538871#M152387 <P>Hello</P><P>I wanted to request some assistance with the topic of combining different searches from the same index and same sourcetype but different sources into a table or report even.</P><P>I struggle with the concept of combining them.</P><P>I have researched joins, stats, charts etc. but I am trying to implement them and am getting errors for which I am missing a point making me unsure of how to combine effectively to get the results I need.&nbsp;</P><P>So any guidance or information that may assist me to learn properly would be very helpful.</P><P>I have the following separate searches that give me the results I need:</P><P>====================================</P><P>Storage<BR />index="SRV" sourcetype=WinHostMon source=disk DriveType=fixed TotalSpaceKB="*"<BR />| eval TotalSpaceKB = round (TotalSpaceKB/100000000)<BR />| stats sum(TotalSpaceKB) as "TotalSpace (GB)" by host</P><P>OS<BR />index="SRV" sourcetype=WinHostMon source=operatingsystem os="*"<BR />| dedup host<BR />| table host os</P><P>CPU<BR />index="SRV" sourcetype=WinHostMon source=processor NumberOfProcessors="*"<BR />| dedup host<BR />| table host NumberOfProcessors</P><P>Memory<BR />index="SRV" sourcetype=WinHostMon source=operatingsystem TotalPhysicalMemoryKB="*"<BR />| dedup host<BR />| eval "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)<BR />| table host "TotalPhysicalMemory (GB)"</P><P>=============================</P><P>My end goal is to provide a single table or report with the following columns</P><P>Host, OS, Number of Processors, total physical memory, total storage&nbsp;</P><P>Thank you</P><P>Dan</P> Sat, 06 Feb 2021 18:59:03 GMT Hudond 2021-02-06T18:59:03Z https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/538871#M152387 <P>Hello</P><P>I wanted to request some assistance with the topic of combining different searches from the same index and same sourcetype but different sources into a table or report even.</P><P>I struggle with the concept of combining them.</P><P>I have researched joins, stats, charts etc. but I am trying to implement them and am getting errors for which I am missing a point making me unsure of how to combine effectively to get the results I need.&nbsp;</P><P>So any guidance or information that may assist me to learn properly would be very helpful.</P><P>I have the following separate searches that give me the results I need:</P><P>====================================</P><P>Storage<BR />index="SRV" sourcetype=WinHostMon source=disk DriveType=fixed TotalSpaceKB="*"<BR />| eval TotalSpaceKB = round (TotalSpaceKB/100000000)<BR />| stats sum(TotalSpaceKB) as "TotalSpace (GB)" by host</P><P>OS<BR />index="SRV" sourcetype=WinHostMon source=operatingsystem os="*"<BR />| dedup host<BR />| table host os</P><P>CPU<BR />index="SRV" sourcetype=WinHostMon source=processor NumberOfProcessors="*"<BR />| dedup host<BR />| table host NumberOfProcessors</P><P>Memory<BR />index="SRV" sourcetype=WinHostMon source=operatingsystem TotalPhysicalMemoryKB="*"<BR />| dedup host<BR />| eval "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)<BR />| table host "TotalPhysicalMemory (GB)"</P><P>=============================</P><P>My end goal is to provide a single table or report with the following columns</P><P>Host, OS, Number of Processors, total physical memory, total storage&nbsp;</P><P>Thank you</P><P>Dan</P> Sat, 06 Feb 2021 18:59:03 GMT https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/538871#M152387 Hudond 2021-02-06T18:59:03Z https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/538877#M152389 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164382">@Hudond</a>,</P><P>You don't need to run different searches because you can take data in one search something like this:</P><LI-CODE lang="markup">index="SRV" sourcetype=WinHostMon | stats sum(TotalSpaceKB) as "TotalSpace (GB)" values(os) AS os values(NumberOfProcessors) AS NumberOfProcessors values("TotalPhysicalMemory (GB)") AS "TotalPhysicalMemory (GB)" by host | eval TotalSpaceKB = round (TotalSpaceKB/100000000), "TotalPhysicalMemory (GB)" = round (((TotalPhysicalMemoryKB)/1000000),1)</LI-CODE><P>Storage CPU, memory and OS are static data , so I hint to schedule this search and put results in a lookup, in this way you'll have all the data quickly usable without rerun the search.</P><P>In addition: Splunk isn't a DB where data are separated, using Splunk you have to think in a different way!</P><P>Ciao.</P><P>Giuseppe</P> Sun, 07 Feb 2021 06:57:18 GMT https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/538877#M152389 gcusello 2021-02-07T06:57:18Z https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/539295#M152532 <P>Thank you&nbsp;<SPAN>Giuseppe, that helped lead me in the right direction.</SPAN></P> Wed, 10 Feb 2021 13:21:21 GMT https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/539295#M152532 Hudond 2021-02-10T13:21:21Z https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/539305#M152535 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/164382">@Hudond</a>,</P><P>good for you.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 10 Feb 2021 14:13:13 GMT https://community.splunk.com/t5/Splunk-Search/Combining-different-searches-into-one-search-with-different/m-p/539305#M152535 gcusello 2021-02-10T14:13:13Z