https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570159#M198722 <P>From your simplistic description, all I can suggest is:</P><LI-CODE lang="markup">search 1 | join app_name [search 2]</LI-CODE><P>If this doesn't work, you will need to provide more detail of what you are actually doing</P> Fri, 08 Oct 2021 04:12:43 GMT ITWhisperer 2021-10-08T04:12:43Z https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570157#M198721 <P>I am trying to produce the following output :</P><TABLE border="1" width="43.77204353578629%"><TBODY><TR><TD width="50%">app_name</TD><TD width="25%">request_id</TD><TD width="12.5%">time</TD><TD width="1.290322580645162%">workload at the time(requests per second)</TD></TR><TR><TD width="50%">App1</TD><TD width="25%">123</TD><TD width="12.5%">1000</TD><TD width="1.290322580645162%">?</TD></TR><TR><TD width="50%">App2</TD><TD width="25%">1234</TD><TD width="12.5%">1000</TD><TD width="1.290322580645162%">?</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I have two queries that return :</P><P>1. A table with the requests taking the most time</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="25px">app_name</TD><TD width="33.333333333333336%" height="25px">request_id</TD><TD width="33.333333333333336%" height="25px">time</TD></TR><TR><TD width="33.333333333333336%" height="25px">app1</TD><TD width="33.333333333333336%" height="25px">1</TD><TD width="33.333333333333336%" height="25px">1000</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>2. Numeric value that returns the requests per second for a given app</P><TABLE border="1" width="44.44444619455645%"><TBODY><TR><TD width="33.333333333333336%" height="25px">app_name</TD><TD width="33.333333333333336%" height="25px">requests per second</TD></TR><TR><TD width="33.333333333333336%" height="25px">app1</TD><TD width="33.333333333333336%" height="25px">10</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How can I join the results from two different queries to produce the final table above?</P><P>Thank you!</P> Fri, 08 Oct 2021 00:25:59 GMT https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570157#M198721 yk010123 2021-10-08T00:25:59Z https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570159#M198722 <P>From your simplistic description, all I can suggest is:</P><LI-CODE lang="markup">search 1 | join app_name [search 2]</LI-CODE><P>If this doesn't work, you will need to provide more detail of what you are actually doing</P> Fri, 08 Oct 2021 04:12:43 GMT https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570159#M198722 ITWhisperer 2021-10-08T04:12:43Z https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570237#M198749 <P>This is what I tried but that does not return any result:&nbsp;</P><P>index=myIndex method!=GET process="end" | join app_name [search index=<SPAN>myIndex</SPAN>&nbsp; method!=GET process="start" | timechart count by app_name | timechart per_second(*) ]<BR />| table _time app_name&nbsp;<SPAN>request_id</SPAN></P> Fri, 08 Oct 2021 14:23:21 GMT https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570237#M198749 yk010123 2021-10-08T14:23:21Z https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570245#M198754 <P>Try something like this</P><LI-CODE lang="markup">index=myIndex method!=GET process="end" | bin _time span=1s | join _time app_name [search index=myIndex method!=GET process="start" | timechart span=1s count by app_name | timechart span=1s per_second(*) as * | untable _time app_name per_second ] | table _time app_name request_id per_second</LI-CODE> Fri, 08 Oct 2021 14:43:57 GMT https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570245#M198754 ITWhisperer 2021-10-08T14:43:57Z https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570254#M198759 <P>Thank you for the suggestion. I tried that but it returned :&nbsp;</P><P><STRONG>[subsearch]: The specified span would result in too many (&gt;50000) rows.</STRONG></P><DIV class="job-status-container"><DIV class="shared-jobstatus"><DIV class="jobstatus-grouping"><DIV class="jobstatus-status-grouping"><DIV class="status shared-jobstatus-count">And no results. It seems that the only way it works is if I run it in a smaller time range (the individual queries work fine under a longer range)&nbsp;</DIV><DIV class="status shared-jobstatus-count">&nbsp;</DIV><DIV class="status shared-jobstatus-count">Perhaps we could group the requests per second over a longer timeframe (for example, report of the last n minutes) is that possible?&nbsp;</DIV><DIV class="status shared-jobstatus-count">&nbsp;</DIV><DIV class="status shared-jobstatus-count">Also, in some instances, the requests per second field is returning 0 which does not make any sense. Is there some rounding going on?</DIV><DIV class="status shared-jobstatus-count">&nbsp;</DIV><DIV class="status shared-jobstatus-count">Also, if possible, could you please break down the query so that I understand your reasoning?&nbsp;</DIV><DIV class="status shared-jobstatus-count">&nbsp;</DIV><DIV class="status shared-jobstatus-count">Thank you again!&nbsp;</DIV></DIV></DIV></DIV></DIV> Fri, 08 Oct 2021 15:57:47 GMT https://community.splunk.com/t5/Splunk-Search/Add-field-from-the-returns-of-another-query/m-p/570254#M198759 yk010123 2021-10-08T15:57:47Z