topic Re: Want to merge two query with different fields in one in Splunk Search https://community.splunk.com/t5/Splunk-Search/Want-to-merge-two-query-with-different-fields-in-one/m-p/579995#M202088 <P>&nbsp;Actually I want to calculate the&nbsp; friction rate&nbsp; &nbsp;of all the status which I am getting from query</P><P>You can see all below status with queries</P><P>Manual Review - Splunk Query<BR />------------------------------------------------------<BR />index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"<BR />| search msg="*Manual Review*"<BR />| eval _raw = msg<BR />| rex "(?&lt;CRE_Creation_Date&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"<BR />| rex "Request\#\:\s*(?&lt;Manual_CRE_ID&gt;\d+)"<BR />| rex "with(?&lt;Manual_Review&gt;\s\w+\s\w+)"<BR />| rex "(?&lt;Failed_Reason&gt;Rule.*)$"<BR />| eval Failed_Reason=trim(Failed_Reason, "Rule ")<BR />| stats count by CRE_Creation_Date Manual_CRE_ID Manual_Review Failed_Reason</P><P><BR />------------------------------------------------------<BR />status Approved - Splunk Query<BR />------------------------------------------------------<BR />index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"<BR />| search msg = "*status Approved*"<BR />| eval _raw = msg<BR />| rex "INFO\s\|\s(?&lt;CRE_Creation_Date&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"<BR />| rex "Request\#\:\s*(?&lt;Approved_CRE_ID&gt;\d+)"<BR />| rex "status(?&lt;Approved&gt;\s........)"<BR />| stats count by CRE_Creation_Date Approved_CRE_ID Approved</P><P><BR />------------------------------------------------------<BR />status Rejected - Splunk Query<BR />------------------------------------------------------<BR />index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"<BR />| search msg="*Rejected*"<BR />| eval _raw = msg<BR />| rex "(?&lt;CRE_Creation_Date&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"<BR />| rex "Request\#\:\s*(?&lt;Rejected_CRE_ID&gt;\d+)"<BR />| rex status(?&lt;Rejected&gt;\s\w+)<BR />| rex (?&lt;Failed_Reason&gt;Rule.*)$<BR />| eval Failed_Reason=trim(Failed_Reason, "Rule ")<BR />| stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason</P> Wed, 05 Jan 2022 13:04:54 GMT nikhilup 2022-01-05T13:04:54Z Want to merge two query with different fields in one https://community.splunk.com/t5/Splunk-Search/Want-to-merge-two-query-with-different-fields-in-one/m-p/579986#M202081 <P>First query<BR />index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*" | eval _raw = msg<BR />| rex "Request\#\:\s*(?&lt;ID1&gt;\d+) with (?&lt;Status&gt;\w+.\w+)"|rex "CRERequestId\"\:\"(?&lt;ID2&gt;[^\"]+)"<BR />| eval ID=coalesce(ID1,ID2)<BR />| stats latest(Status) as Status by ID<BR />| eval Status=trim(Status, "status ")<BR />| stats count by Status</P><P>Second query</P><P>index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"<BR />| search msg="*Rejected*"<BR />| eval _raw = msg<BR />| rex "(?&lt;CRE_Creation_Date&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"<BR />| rex "Request\#\:\s*(?&lt;Rejected_CRE_ID&gt;\d+)"<BR />| rex status(?&lt;Rejected&gt;\s\w+)<BR />| rex (?&lt;Failed_Reason&gt;Rule.*)$<BR />| eval Failed_Reason=trim(Failed_Reason, "Rule ")<BR />| stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason</P><P>&nbsp;</P> Wed, 05 Jan 2022 12:17:37 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-merge-two-query-with-different-fields-in-one/m-p/579986#M202081 nikhilup 2022-01-05T12:17:37Z Re: Want to merge two query with different fields in one https://community.splunk.com/t5/Splunk-Search/Want-to-merge-two-query-with-different-fields-in-one/m-p/579993#M202087 <P>Can you give (sanitised) examples of the events you are working with and the aim of the merged query?</P> Wed, 05 Jan 2022 12:47:35 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-merge-two-query-with-different-fields-in-one/m-p/579993#M202087 ITWhisperer 2022-01-05T12:47:35Z Re: Want to merge two query with different fields in one https://community.splunk.com/t5/Splunk-Search/Want-to-merge-two-query-with-different-fields-in-one/m-p/579995#M202088 <P>&nbsp;Actually I want to calculate the&nbsp; friction rate&nbsp; &nbsp;of all the status which I am getting from query</P><P>You can see all below status with queries</P><P>Manual Review - Splunk Query<BR />------------------------------------------------------<BR />index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"<BR />| search msg="*Manual Review*"<BR />| eval _raw = msg<BR />| rex "(?&lt;CRE_Creation_Date&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"<BR />| rex "Request\#\:\s*(?&lt;Manual_CRE_ID&gt;\d+)"<BR />| rex "with(?&lt;Manual_Review&gt;\s\w+\s\w+)"<BR />| rex "(?&lt;Failed_Reason&gt;Rule.*)$"<BR />| eval Failed_Reason=trim(Failed_Reason, "Rule ")<BR />| stats count by CRE_Creation_Date Manual_CRE_ID Manual_Review Failed_Reason</P><P><BR />------------------------------------------------------<BR />status Approved - Splunk Query<BR />------------------------------------------------------<BR />index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"<BR />| search msg = "*status Approved*"<BR />| eval _raw = msg<BR />| rex "INFO\s\|\s(?&lt;CRE_Creation_Date&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"<BR />| rex "Request\#\:\s*(?&lt;Approved_CRE_ID&gt;\d+)"<BR />| rex "status(?&lt;Approved&gt;\s........)"<BR />| stats count by CRE_Creation_Date Approved_CRE_ID Approved</P><P><BR />------------------------------------------------------<BR />status Rejected - Splunk Query<BR />------------------------------------------------------<BR />index = pcf_logs cf_org_name = creorg OR cf_org_name = SvcITDnFAppsOrg cf_app_name=VerifyReviewConsumerService host="*"<BR />| search msg="*Rejected*"<BR />| eval _raw = msg<BR />| rex "(?&lt;CRE_Creation_Date&gt;\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}\s..)"<BR />| rex "Request\#\:\s*(?&lt;Rejected_CRE_ID&gt;\d+)"<BR />| rex status(?&lt;Rejected&gt;\s\w+)<BR />| rex (?&lt;Failed_Reason&gt;Rule.*)$<BR />| eval Failed_Reason=trim(Failed_Reason, "Rule ")<BR />| stats count by CRE_Creation_Date Rejected_CRE_ID Rejected Failed_Reason</P> Wed, 05 Jan 2022 13:04:54 GMT https://community.splunk.com/t5/Splunk-Search/Want-to-merge-two-query-with-different-fields-in-one/m-p/579995#M202088 nikhilup 2022-01-05T13:04:54Z