https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-queries-into-one/m-p/444665#M167634 <P>Try this!</P> <PRE><CODE> index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1 OR span_name=SomeSpanName2 OR span_name=SomeSpanName3 OR span_name=SomeSpanName4) | eval duration=span_duration/1000 | stats p99(duration) by span_name | transpose header_field=span_name| fields - column </CODE></PRE> Thu, 06 Sep 2018 09:08:39 GMT HiroshiSatoh 2018-09-06T09:08:39Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-queries-into-one/m-p/444663#M167632 <P>Hello,</P> <P>I have multiple queries with small differences, is it possible to combine them?</P> <P>Here is example:</P> <PRE><CODE>index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1) | eval duration=span_duration/1000 | stats p99(duration) index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName2 OR span_name=SomeSpanName3) | eval duration=span_duration/1000 | stats p99(duration) index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName4) | eval duration=span_duration/1000 | stats p99(duration) </CODE></PRE> <P>The result of each query is only one column <CODE>p99(duration)</CODE> with value.</P> <P>Is it possible to combine these queries and get a result with three columns with different names (I need to know the correspondence of each column to the condition)?</P> Thu, 06 Sep 2018 08:18:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-queries-into-one/m-p/444663#M167632 vintik 2018-09-06T08:18:30Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-queries-into-one/m-p/444664#M167633 <P>Hi @vintik,</P> <P>Please try below query.</P> <PRE><CODE>index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1 OR span_name=SomeSpanName2 OR span_name=SomeSpanName3 OR span_name=SomeSpanName4) | eval duration=span_duration/1000 | stats p99(eval(if(span_name="SomeSpanName1",duration,0))) AS p99_Span1, p99(eval(if(span_name="SomeSpanName2" OR span_name="SomeSpanName3",duration,0))) AS p99_Span2_3, p99(eval(if(span_name="SomeSpanName4",duration,0))) AS p99_Span4 </CODE></PRE> <P>I have created run anywhere search as below which gives me correct result.</P> <PRE><CODE>| makeresults | eval span_name="SomeSpanName1", span_duration="1001" | append [ makeresults | eval span_name="SomeSpanName2", span_duration="2001" ] | append [ makeresults | eval span_name="SomeSpanName3", span_duration="3001" ] | append [ makeresults | eval span_name="SomeSpanName4", span_duration="4001" ] | eval duration=span_duration/1000 | stats p99(eval(if(span_name="SomeSpanName1",duration,0))) AS p99_Span1, p99(eval(if(span_name="SomeSpanName2" OR span_name="SomeSpanName3",duration,0))) AS p99_Span2_3, p99(eval(if(span_name="SomeSpanName4",duration,0))) AS p99_Span4 </CODE></PRE> Thu, 06 Sep 2018 08:35:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-queries-into-one/m-p/444664#M167633 harsmarvania57 2018-09-06T08:35:55Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-queries-into-one/m-p/444665#M167634 <P>Try this!</P> <PRE><CODE> index=some_index sourcetype=some_source host=*host* (span_name=SomeSpanName1 OR span_name=SomeSpanName2 OR span_name=SomeSpanName3 OR span_name=SomeSpanName4) | eval duration=span_duration/1000 | stats p99(duration) by span_name | transpose header_field=span_name| fields - column </CODE></PRE> Thu, 06 Sep 2018 09:08:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-multiple-queries-into-one/m-p/444665#M167634 HiroshiSatoh 2018-09-06T09:08:39Z