https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384964#M172146 <P>The searches share all the same fields, just different values. The 1st search returns events for inbound call records while the 2nd search returns outbound calls records. Trying to take those 2 values by client_name and total them up to get a total duration.</P> Fri, 29 Mar 2019 18:01:43 GMT fmatera 2019-03-29T18:01:43Z https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384962#M172144 <P>I have 2 good searches. One outputs:<BR /> Date Agent Answered Calls Average Talk Time Longest Talk Time Total Talk Time<BR /> By agent/client_name<BR /> The second has outbound minutes (OBMINS1) by client name.</P> <P>What I would like to do is add a column OBMINS1 to the 1st table and add this result to Total Talk Time. </P> <P>I tried using appendcols but can't seem the values to line up by client_name.</P> <P>Here are the 2 queries that work:</P> <P>base search<BR /> | addinfo | convert timeformat="%A, %m/%d/%Y" ctime(_time) AS Date<BR /> | dedup callid sortby disposion<BR /> | stats count(_raw) as Total, count(eval(disposion="ANSWERED")) as Answered, count(eval(disposion="NO ANSWER" OR disposion="BUSY" OR disposion="FAILED" OR disposion="NOT ALLOWED")) as "Abandoned Calls", count(eval(application="Voicemail")) as "Voicemail Calls" sum(Dur) AS Seconds, max(Dur) as Longest by Date, client_name<BR /> | eval ASR=round(Answered/Total*100,2)."%"<BR /> | eval Minutes=round(Seconds/60,0)<BR /> | eval OBMINS=round(OBSeconds/60,0)<BR /> | eval ALOC=round(Minutes/Answered,2)<BR /> | eval TotDur=tostring(Seconds, "duration")<BR /> | eval "Longest Talk Time"=tostring(Longest, "duration")<BR /> | rename client_name as Agent, TotDur as "Total Talk Time", ALOC as "Average Talk Time", Total as "Total Calls", Answered as "Answered Calls"<BR /> | table Date, Agent, "Answered Calls", "Average Talk Time", "Longest Talk Time", "Total Talk Time"<BR /> | addcoltotals "Answered Calls", labelfield=Date label=Totals</P> <P>2nd search<BR /> base search<BR /> | stats count(_raw) as TotalOB, count(eval(disposion="ANSWERED")) as OBAnswered, count(eval(disposion="NO ANSWER" OR disposion="BUSY" OR disposion="FAILED" OR disposion="NOT ALLOWED")) as "OBAbandoned Calls", sum(Dur) AS OBSeconds by client_name | eval OBMINS1=tostring(OBSeconds, "duration")</P> <P>Thanks in advance</P> Tue, 29 Sep 2020 23:54:35 GMT https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384962#M172144 fmatera 2020-09-29T23:54:35Z https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384963#M172145 <P>are the two queries using the same data in the base searches? same index? sourcetype? anything similar? Could be that we could avoid joins all together and do something with stats/eventstats type work. would help to know the base search.</P> Fri, 29 Mar 2019 17:04:44 GMT https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384963#M172145 cmerriman 2019-03-29T17:04:44Z https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384964#M172146 <P>The searches share all the same fields, just different values. The 1st search returns events for inbound call records while the 2nd search returns outbound calls records. Trying to take those 2 values by client_name and total them up to get a total duration.</P> Fri, 29 Mar 2019 18:01:43 GMT https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384964#M172146 fmatera 2019-03-29T18:01:43Z https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384965#M172147 <P>1st search </P> <P>index=cdr flow=in client_client_id=1110 partyid=111000200 calltype=local OR calltype=out</P> <P>2nd search</P> <P>index=cdr client_client_id=1110 flow=out calltype=out</P> Tue, 29 Sep 2020 23:50:29 GMT https://community.splunk.com/t5/Splunk-Search/combine-2-queried-and-combine-results/m-p/384965#M172147 fmatera 2020-09-29T23:50:29Z