topic Re: i have two different searches there is nothing common between both the search, I want to combine both the result as one. in Splunk Search

i have two different searches there is nothing common between both the search, I want to combine both the result as one.

dhirajyadav — Tue, 29 Sep 2020 20:16:51 GMT

query 1: index=lenovo sourcetype = ticketmaster | where Status in ("Assigned","In-Progress","New","Pending")
| stats dc(No) as LENOVO_COUNT by Status

query 2: sourcetype="remedy_incident" OR sourcetype="remedy_incident_task"
| where state in(1,2,14,16,18,22,40,62)
| eval Status = case(state = "1","New",state = "2","Active",state = "14","Pending",state = "16","Pending",state = "18","Pending",state = "22","Pending",state = "40","Pending",state = "62","Pending") | stats dc(number) as REMEDY_COUNT by Status

Re: i have two different searches there is nothing common between both the search, I want to combine both the result as one.

renjith_nair — Thu, 05 Jul 2018 00:57:01 GMT

Hi @dhirajyadav,

How do you want to combine? What should be the final result?

Re: i have two different searches there is nothing common between both the search, I want to combine both the result as one.

woodcock — Thu, 05 Jul 2018 01:54:34 GMT

Try this:

(index=lenovo sourcetype = ticketmaster) OR (sourcetype="remedy_incident" OR sourcetype="remedy_incident_task")
| where (Status IN("Assigned","In-Progress","New","Pending") OR state IN(1,2,14,16,18,22,40,62))
| eval Status = case(sourcetype = ticketmaster, Status, state = "1","New",state = "2","Active",state = "14","Pending",state = "16","Pending",state = "18","Pending",state = "22","Pending",state = "40","Pending",state = "62","Pending") 
| stats dc(No) AS LENOVO_COUNT dc(number) AS REMEDY_COUNT BY Status