topic Re: Events list of append command in Splunk Search

Events list of append command

shayhibah — Tue, 29 Sep 2020 21:34:35 GMT

I have a query like this:

first_query | dedup 1 id | search action=drop | stats count by action, destination | fields action | stats count(eval(action=drop)) |
append [search second_query | dedup 1 id | search action=drop | stats count by action, source | fields action | stats count(eval(action=drop))]

After pressing on "events" tab in search view, I get relevant logs only for the first query and not even 1 log of the second query.
when running each query separately, the first_query gives me 11 events and the second_query gives me 71 events.

How can I get all results of all appended queries (82 events)?

Thanks

Re: Events list of append command

harishalipaka — Tue, 09 Oct 2018 06:04:56 GMT

hi @shayhibah

did you try like this --

index="_internal" sourcetype=splunkd |head 10 |append [search index="_internal" sourcetype=splunkd_ui_access |head 5]

Re: Events list of append command

shayhibah — Tue, 09 Oct 2018 06:12:09 GMT

@harishalipaka
Thank you for your response.
This query works great but for some reason mine isn't.
What can be the issue? I don't want to use 'head' in my query since I want to see all results.

Re: Events list of append command

harishalipaka — Tue, 09 Oct 2018 06:17:46 GMT

@shayhibah

ya you can use your own way here i mention head for examples purpose only .Just what i want to told here this is the syntax for how to append that's it.

Re: Events list of append command

shayhibah — Tue, 09 Oct 2018 06:19:55 GMT

@harishalipaka
I used your syntax (you can see it in the post above) but I does not work for me.

Any suggestions?

Re: Events list of append command

493669 — Tue, 09 Oct 2018 08:43:34 GMT

not sure if your query is working separately as you have to rename stats-eval part else it will give error-

first_query | dedup 1 id | search action=drop | stats count by action, destination | fields action | stats count(eval(action=drop)) as abc

Re: Events list of append command

DalJeanis — Wed, 10 Oct 2018 17:12:17 GMT

Seems like you are trying to compare the number of distinct destinations that experienced a drop, compared to the number of distinct sources. This can be done in a single combined query, without doing an append at all. Whenever possible, you want to do your searches that way.

If the two searches are returning the exact same records to be counted two different ways, you could do it completely using this format...

( first_query ) OR ( second_query ) 
| dedup id
| search action=drop 
| stats dc(source) as source dc(destination) as destination

On the other hand, if they are different record types, then try something like this...

( first_query ) OR ( second_query )
| eval thequery=case(first_query,"destination", second_query, "source")  
| dedup 1 id thequery
| eval field2=case(first_query,destination, second_query,source)
| search action=drop 
| stats dc(field2) as count by field2
| eval junk=1
| xyseries junk field2 count

Note - If the different searches have different indexes or sourcetype, you could use that distinctive field instead of building the field thequery.

Re: Events list of append command

woodcock — Thu, 10 Jan 2019 17:32:38 GMT

What he said.