topic Re: Combine 2 searches into one pie chart in Splunk Search

Combine 2 searches into one pie chart

HMIPowell — Thu, 10 Jun 2021 13:22:49 GMT

How can the following 2 searches be used in a single Pie Chart?

SEARCH ONE
index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" | rex field=Message "\S*user (?<ValueOne>\S*)" | dedup ValueOne | Stats Count

SEARCH TWO
index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," | rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)"| dedup ValueTwo | Stats Count

I can join both the statements, but that doesn't allow them both to be used in a single chart. Seems one carries precedence over the other.

Also tried
( index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" | rex field=Message "\S*user (?<ValueOne>\S*)" | dedup ValueOne ) OR ( index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," | rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)"| dedup ValueTwo ) | stats count by index | replace security with TestOne network with TestTwo

that gives a unbalanced parentheses error

Re: Combine 2 searches into one pie chart

kamlesh_vaghela — Thu, 10 Jun 2021 13:38:38 GMT

@HMIPowell

Are you looking for this?

index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" | rex field=Message "\S*user (?<ValueOne>\S*)" | dedup ValueOne | append [ search index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," | rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)" | dedup ValueTwo ] | stats count by index | replace security with TestOne network with TestTwo

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

Re: Combine 2 searches into one pie chart

HMIPowell — Thu, 10 Jun 2021 13:44:01 GMT

Exacty that! Thanks for the quick response!

Re: Combine 2 searches into one pie chart

kamlesh_vaghela — Thu, 10 Jun 2021 13:45:40 GMT

@HMIPowell

Glad to help you.

Happy Splunking