topic Re: Table from two separate searches and sourcetypes in Splunk Search

Table from two separate searches and sourcetypes

Brainstorms — Sat, 02 Oct 2021 17:11:53 GMT

So, to preface this, I am very new to Splunk.
The end game is to make a chart overlay, but that's not my main question here.

I have two searches with very similar information being returned. I need to make a table with information from both searches and I just can't seem to manage it. I have tried append, appendcols, multisearch, etc. The problem is that I cannot use OR for the sourcetype because the two sourcetypes have extremely similar information in them and the queries to pull from them are the exact same.
Example:

First:

index = indexa sourcetype = sourcetypeA
| count X as "Result A"
| other logic etc
| table month_year "Result A"

Second:

index= indexa sourcetype = sourcetypeB
| count X as "Result B"
| other logic etc
| table month_year "Result B"

Ultimately I'd want the results to say:

month_Year	Result B	Result A
info	info	info

Right now when I attempt to do anything, it just skips out on "Result B" entirely. I know there must be some simple way I'm just missing. If anyone could help me out I'd really appreciate it, this is driving me crazy.

Re: Table from two separate searches and sourcetypes

richgalloway — Sat, 02 Oct 2021 17:18:19 GMT

Perhaps this will help.

index = indexa (sourcetype = sourcetypeA OR sourcetype = sourcetypeB) | stats sum(eval(sourcetype=sourcetypA) as "Result A", sum(eval(sourcetype=sourcetypeB) as "Result B" | other logic etc | table month_year "Result A" "Result B"

Re: Table from two separate searches and sourcetypes

Brainstorms — Sat, 02 Oct 2021 17:59:49 GMT

THANK YOU. I knew I was close in some of my attempts but I just couldn't make the connection. This worked for me exactly as needed.