https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322987#M163441 <P>Nevermind, I was just being dumb. It seems no matter how I search by field3, field 2 doesn't exist.</P> <P>Thanks for the help though!</P> Mon, 22 Jan 2018 16:30:52 GMT auraria 2018-01-22T16:30:52Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322984#M163438 <P>EDIT: Nevermind, I was just being dumb. It seems no matter how I search by field3 value that triggered on field1, field 2 doesn't exist. For some reason I thought it did.</P> <P>I have an interesting issue I'm trying to solve and I've hit a road block at this point. </P> <P>Basically what I'm trying to accomplish is take the output of <CODE>search1</CODE>, <CODE>append search2</CODE>, and then match by both by <CODE>field 3</CODE> since it exists in both searches.</P> <P><CODE>Search1</CODE> and <CODE>search2</CODE> have the same index, but produces mostly the same fields however there's a few that are not present on one search that the other has and vice versa. Let's call those <CODE>field1</CODE> and <CODE>field2</CODE>. EDIT: <CODE>Field 1</CODE> only exists in <CODE>search1</CODE> and <CODE>Field2</CODE> only exists in <CODE>search2</CODE>.</P> <P>This is my current query: </P> <PRE><CODE>index=s_index1 string field1="value" OR field1="value" OR string field3!="value" | transaction field3 | append [search index=s_index1 string field2="*" | transaction field3] | transaction field3 | table _time, field4, field5, field3, field6, field1, field2 </CODE></PRE> <P>This is currently not working to the full effect I'd like, It seems most of the data is there but it's not correct/interpreting it correctly. </P> <P>I normally use eval to match the two separate fields with the same/or separate data is there a way to use eval in a way to match on searches? </P> <P>Such as <CODE>| eval search 1 field3=search 2 field 3</CODE> or is there a way to do this that I'm simply missing? Should I be using the join command instead of append? Any help would be greatly appreciated.</P> Mon, 22 Jan 2018 15:34:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322984#M163438 auraria 2018-01-22T15:34:51Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322985#M163439 <P>Hi auraria, </P> <P>would the following search work?</P> <P><CODE>(index=s_index1 ((string AND field1="value") OR (field1="value") OR (string AND field3!="value")) OR (search index=s_index1 AND string AND field2="") | transaction field3 | table _time, field4, field5, field3, field6, field1, field2</CODE></P> Mon, 22 Jan 2018 15:55:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322985#M163439 horsefez 2018-01-22T15:55:35Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322986#M163440 <P>I've tried this as well, in a slightly different way(basically removed extra parens). Still didn't get me the results I was interested in. </P> <P>I'm going to look at the data a bit more closely on boths sides to make sure I'm not missing something obvious.</P> <P>I'll continue to update the thread as I find out something new. <BR /> Thank you!</P> Mon, 22 Jan 2018 16:12:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322986#M163440 auraria 2018-01-22T16:12:04Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322987#M163441 <P>Nevermind, I was just being dumb. It seems no matter how I search by field3, field 2 doesn't exist.</P> <P>Thanks for the help though!</P> Mon, 22 Jan 2018 16:30:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-outputs-from-2-different-searches-where-fields/m-p/322987#M163441 auraria 2018-01-22T16:30:52Z