https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66455#M16528 <P>The actual search string is shown below.</P> <PRE><CODE>(sourcetype="mms_export" c_status=200) OR (sourcetype="we_accesslog" " NOT *.isml) |stats sum(sc_bytes) as sum_m sum(Bytes_Xferred) as sum_http by client_ip |join type=outer client_ip [search (sourcetype="we_accesslog" *.isml) | stats sum(Bytes_Xferred) as sum_smooth by client_ip ] |join type=outer client_ip [search (sourcetype="fms_access" ) | chart sum(sc_bytes) as sum by client_ip, x_event | eval diff_flash=disconnect-connect ] | fillnull sum_m sum_http sum_smooth diff_flash | eval WMT(GB)= round(sum_m/(1024*1024*1024),4) | eval WEB_HTTP(GB)= round(sum_http/(1024*1024*1024),4) | eval WEB_SMOOTH(GB) = round(sum_smooth/(1024*1024*1024),4) | eval flash(GB)=round(diff_flash/(1024*1024*1024),4) | fields client_ip WMT(GB) WEB_HTTP(GB) WEB_SMOOTH(GB) flash(GB) | addtotals </CODE></PRE> Mon, 13 Feb 2012 01:30:53 GMT KarunK 2012-02-13T01:30:53Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66449#M16522 <P>Hi,</P> <P>I have three search results giving me three different set of results, in which three is one common filed called object and the number of results in each results may vary. I have used append to merge these results but i am not happy with the results. I need merge all these result into a single table.</P> <P>The structure of the search I have used is given below. (its only a sample)</P> <PRE><CODE>serach 1 | stats .... by object append [ search2 | stats ..... by object append [ search3 | stats ...... by object </CODE></PRE> <P><STRONG>Results after append</STRONG></P> <PRE><CODE>OBJECT COUNT Requests Uniuqe ------------------------------------ http 100 rtsp 250 http 25 rtsp 21 rtmp 10 http 10 rtsp 11 </CODE></PRE> <P>What i need is as below.</P> <PRE><CODE>OBJECT COUNT Requests Uniuqe ------------------------------------ http 100 25 10 rtsp 250 21 11 rtmp 10 </CODE></PRE> <P>How can I do this. Can i use join instead of append ?</P> Tue, 07 Feb 2012 04:26:09 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66449#M16522 KarunK 2012-02-07T04:26:09Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66450#M16523 <P>It's a bit hard to tell, since you don't give an example of the actual logs. Join can be a very expensive operation, and should probably be avoided if possible. </P> <P>Are there three different sourcetypes involved?</P> <P>/k</P> Tue, 07 Feb 2012 06:59:23 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66450#M16523 kristian_kolb 2012-02-07T06:59:23Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66451#M16524 <P>Yes there are different sourcetype involved.</P> <P>I have figured out a way to do it with join. But not sure whether this is the best way.</P> <P>Any Comments ?</P> <P>search 1 | stats .... by object<BR /> | join type=outer object [ search2 | stats ..... by object<BR /> | join type=outer object [ search3 | stats ...... by object</P> Tue, 07 Feb 2012 22:33:56 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66451#M16524 KarunK 2012-02-07T22:33:56Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66452#M16525 <P>The above soln seems to be not working. It only looks for the field - object in the first search and try to join the respective results from search 2 and search 3.</P> <P>What I was looking for was to complete merger of the three results that means I would like to see the results from search 2 and search 3 in the final results even though corresponding object is missing in search 1.</P> <P>Any ideas .....</P> <P>Please help ???</P> <P>Thanks in Advance</P> Fri, 10 Feb 2012 04:13:54 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66452#M16525 KarunK 2012-02-10T04:13:54Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66453#M16526 <P>Couldn't you just move the stats command to the end of your query?</P> <PRE><CODE>search 1 | append [ search2 ] | append [search 3] | stats ..... by object </CODE></PRE> Fri, 10 Feb 2012 09:28:20 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66453#M16526 Ayn 2012-02-10T09:28:20Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66454#M16527 <P>Nope its not working I am getting less no: of results than when I search separately and add them together.</P> Mon, 13 Feb 2012 01:26:29 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66454#M16527 KarunK 2012-02-13T01:26:29Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66455#M16528 <P>The actual search string is shown below.</P> <PRE><CODE>(sourcetype="mms_export" c_status=200) OR (sourcetype="we_accesslog" " NOT *.isml) |stats sum(sc_bytes) as sum_m sum(Bytes_Xferred) as sum_http by client_ip |join type=outer client_ip [search (sourcetype="we_accesslog" *.isml) | stats sum(Bytes_Xferred) as sum_smooth by client_ip ] |join type=outer client_ip [search (sourcetype="fms_access" ) | chart sum(sc_bytes) as sum by client_ip, x_event | eval diff_flash=disconnect-connect ] | fillnull sum_m sum_http sum_smooth diff_flash | eval WMT(GB)= round(sum_m/(1024*1024*1024),4) | eval WEB_HTTP(GB)= round(sum_http/(1024*1024*1024),4) | eval WEB_SMOOTH(GB) = round(sum_smooth/(1024*1024*1024),4) | eval flash(GB)=round(diff_flash/(1024*1024*1024),4) | fields client_ip WMT(GB) WEB_HTTP(GB) WEB_SMOOTH(GB) flash(GB) | addtotals </CODE></PRE> Mon, 13 Feb 2012 01:30:53 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66455#M16528 KarunK 2012-02-13T01:30:53Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66456#M16529 <P>Use 'appendcols'</P> Thu, 08 Mar 2012 12:04:02 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66456#M16529 ramab 2012-03-08T12:04:02Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66457#M16530 <P>Hi KarunK,</P> <P>Did you get the answer for your question, I am also looking for solution for the same problem. If you know the answer can you please help me.</P> <P>Thanks in advance</P> Tue, 19 Jul 2016 19:39:28 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66457#M16530 Laya123 2016-07-19T19:39:28Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66458#M16531 <P>Try this:</P> <P>search 1 | append [ search2 ] | append [search 3] <BR /> | Stats values(*) AS * by OBJECT<BR /> | table OBJECT COUNT Requests Uniuqe</P> Wed, 05 Jul 2017 18:23:10 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66458#M16531 srujan9292 2017-07-05T18:23:10Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66459#M16532 <P>What about adding...</P> <PRE><CODE>| stats first(*) as * by OBJECT </CODE></PRE> <P>...at the end of your search pipe?</P> <P>Limitation: This lightweight approach only works if every other column contains <EM>max. one unique value</EM> per OBJECT. Otherwise stick with the <EM>values()</EM> variant suggested by @srujan9292.</P> Tue, 08 May 2018 20:31:44 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/66459#M16532 romanwaldecker 2018-05-08T20:31:44Z https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/567474#M197762 <P>Thanks this worked for me</P> Fri, 17 Sep 2021 17:35:57 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-search-results/m-p/567474#M197762 mehulraisinghan 2021-09-17T17:35:57Z