https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501715#M195144 <P>I know what the problem is - typo <span class="lia-unicode-emoji" title=":confused_face:">😕</span><BR /> But your response was correct - thank you</P> Thu, 05 Dec 2019 12:04:54 GMT shayhibah 2019-12-05T12:04:54Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501710#M195139 <P>Hi,</P> <P>I have different queries:</P> <P>Query 1: <BR /> |inputlookup myLokkup | eval count=0 | table myField, count<BR /> For Example:<BR /> myField count<BR /> A 0<BR /> B 0<BR /> C 0</P> <P>Query 2:<BR /> sourcetype="my_log" | stats count by myField<BR /> For Example:<BR /> myField count<BR /> A 4<BR /> C 2</P> <P>How can I combine these 2 queries to return the following:<BR /> myField count<BR /> A 4<BR /> B 0<BR /> C 2</P> <P>Thanks</P> Thu, 05 Dec 2019 10:48:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501710#M195139 shayhibah 2019-12-05T10:48:24Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501711#M195140 <P>@shayhibah </P> <P>Can you please try this?</P> <PRE><CODE>sourcetype="my_log" | stats count by myField | append [ |inputlookup myLokkup | eval count=0 | table myField, count ] | stats sum(count) as count by myField </CODE></PRE> <P>Thanks</P> Thu, 05 Dec 2019 10:55:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501711#M195140 kamlesh_vaghela 2019-12-05T10:55:36Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501712#M195141 <P>hi @kamlesh_vaghela </P> <P>The output is incorrect:</P> <P>A0<BR /> A 4<BR /> B 0<BR /> C0<BR /> C 2</P> <P>It didn't remove fields that exist in both searches</P> Thu, 05 Dec 2019 11:43:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501712#M195141 shayhibah 2019-12-05T11:43:31Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501713#M195142 <P>@shayhibah</P> <P>I think it should work. Can you please confirm that count doesn't have any extra hidden character. </P> <P>Please check below sample search with same logic.</P> <PRE><CODE>| makeresults | eval myField="A,C",myField=split(myField,","),count=20 | mvexpand myField | table myField count | append [| makeresults | eval myField="A,B,C",myField=split(myField,","),count=0 | mvexpand myField | table myField count] | stats sum(count) as count by myField </CODE></PRE> <P>Is it possible to share your search with sample values?</P> Thu, 05 Dec 2019 11:53:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501713#M195142 kamlesh_vaghela 2019-12-05T11:53:41Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501714#M195143 <P>@kamlesh_vaghela <BR /> Sure,</P> <P>This is my query:</P> <PRE><CODE>sourcetype="my_log" | stats count by my_field | append [|inputlookup my_lookup | rename field AS my_field | eval count=0 | table my_field, count] | stats sum(count) as count by my_field </CODE></PRE> <P>For some reason your query above works fine but mine does not.</P> Thu, 05 Dec 2019 12:01:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501714#M195143 shayhibah 2019-12-05T12:01:24Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501715#M195144 <P>I know what the problem is - typo <span class="lia-unicode-emoji" title=":confused_face:">😕</span><BR /> But your response was correct - thank you</P> Thu, 05 Dec 2019 12:04:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501715#M195144 shayhibah 2019-12-05T12:04:54Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501716#M195145 <P>@shayhibah</P> <P>I think your lookup <CODE>field</CODE> has extra spaces.<BR /> Try this.</P> <PRE><CODE>sourcetype="my_log" | stats count by my_field | append [|inputlookup my_lookup | rename field AS my_field | eval count=0 | eval myField=trim(myField) | table my_field, count] | stats sum(count) as count by my_field </CODE></PRE> Thu, 05 Dec 2019 12:05:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501716#M195145 kamlesh_vaghela 2019-12-05T12:05:37Z https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501717#M195146 <P>ooh Great.</P> <P><STRONG>Happy Splunking</STRONG></P> Thu, 05 Dec 2019 12:06:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-merge-two-different-queries-with-the-same-columns/m-p/501717#M195146 kamlesh_vaghela 2019-12-05T12:06:37Z