https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602303#M209644 <P>You may try</P><LI-CODE lang="markup">index=myindex (search1 terms OR search2 terms) |table App,Size,Count|addcoltotals</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_search.jpg" style="width: 200px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20158iF4F645ECFB7E79AC/image-size/small?v=v2&amp;px=200" role="button" title="splunk_search.jpg" alt="splunk_search.jpg" /></span></P> Sat, 18 Jun 2022 06:00:20 GMT renjith_nair 2022-06-18T06:00:20Z https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602283#M209639 <P>I have two Searches and following are its result individually -</P> <P><FONT face="courier new,courier">index="myindex" &lt;my search 1&gt; | table App Size Count</FONT></P> <P><FONT face="courier new,courier">App&nbsp; Size&nbsp; Count</FONT><BR /><FONT face="courier new,courier">App1 5GB&nbsp; &nbsp;100</FONT><BR /><FONT face="courier new,courier">App2 100GB 10000</FONT></P> <P><FONT face="courier new,courier">index=myindex" &lt;my search 2&gt; | table App Size Count</FONT></P> <P><FONT face="courier new,courier">App&nbsp; Size Count</FONT><BR /><FONT face="courier new,courier">App3 15GB 1500</FONT></P> <P>Now I want to run a report that shows result of all Apps (1 to 3) together. So, I used append.</P> <P><FONT face="courier new,courier">index="myindex" &lt;my search 1&gt; | table App Size Count</FONT><BR /><FONT face="courier new,courier">| append</FONT><BR /><FONT face="courier new,courier">[search index=myindex" &lt;my search 2&gt; | table App Size Count]</FONT><BR /><FONT face="courier new,courier">| addcoltotals</FONT></P> <P>But when I used it, I didn't get the complete result. "Size" column is showing different value. Something like this -</P> <P><FONT face="courier new,courier">App&nbsp; Size&nbsp; Count</FONT><BR /><FONT face="courier new,courier">App1 5GB&nbsp; &nbsp;100</FONT><BR /><FONT face="courier new,courier">App2 100GB 10000</FONT><BR /><FONT face="courier new,courier">App3 7GB&nbsp; &nbsp;720</FONT></P> <P>What should be used to get the complete resultset as we got for each search. Best way to merge two query resultsets.</P> <P>&nbsp;</P> <P>Thanks!</P> Tue, 21 Jun 2022 15:58:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602283#M209639 runiyal 2022-06-21T15:58:13Z https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602299#M209641 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/138387">@runiyal</a>,</P><P>did you tried to put all the conditions in the main search?</P><P>something like this:</P><LI-CODE lang="markup">index="myindex" (&lt;my search 1&gt; OR &lt;my search 2&gt;) | table App Size Count | addcoltotals</LI-CODE><P>Splunk isn't a DB!</P><P>Ciao.</P><P>Giuseppe</P> Sat, 18 Jun 2022 05:52:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602299#M209641 gcusello 2022-06-18T05:52:16Z https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602303#M209644 <P>You may try</P><LI-CODE lang="markup">index=myindex (search1 terms OR search2 terms) |table App,Size,Count|addcoltotals</LI-CODE><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_search.jpg" style="width: 200px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/20158iF4F645ECFB7E79AC/image-size/small?v=v2&amp;px=200" role="button" title="splunk_search.jpg" alt="splunk_search.jpg" /></span></P> Sat, 18 Jun 2022 06:00:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602303#M209644 renjith_nair 2022-06-18T06:00:20Z https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602343#M209654 <P>Here is the updated Query which actual use of REX/EVAL/CASE/STATS in it:</P><P><FONT face="courier new,courier">(index="myindex" "*upload succeeded" OR "*streaming succeeded" NOT "source"</FONT><BR /><FONT face="courier new,courier">| rex ".*SIZE=(?&lt;sizeKB&gt;\d+\.\d+)" | stats sum(eval(sizeKB/1024/1024)) AS Size count | eval App="Upload-Manual")</FONT><BR /><FONT face="courier new,courier">OR</FONT><BR /><FONT face="courier new,courier">(index="myindex" "*upload succeeded" OR "*streaming succeeded"</FONT><BR /><FONT face="courier new,courier">| rex "source=(?&lt;App&gt;[^,]+)." </FONT><BR /><FONT face="courier new,courier">| rex "system=(?&lt;App&gt;[^,]+)." | eval App = case(App="FB","App1",App="TWTR","App2",App="Salesforce","App3",App="SAP","App3",App="Oracle","App3")</FONT><BR /><FONT face="courier new,courier">| rex ".*SIZE=(?&lt;sizeKB&gt;\d+\.\d+)" | stats sum(eval(sizeKB/1024/1024)) AS Size Count by App)</FONT><BR /><FONT face="courier new,courier">| table App Size Count</FONT><BR /><FONT face="courier new,courier">| addcoltotals</FONT></P><P>&nbsp;</P><P>I am getting following error -&nbsp;</P><P><STRONG>Error in 'search' command: Unable to parse the search: unbalanced parentheses.</STRONG></P><P>&nbsp;</P><P>Thanks!</P> Sun, 19 Jun 2022 15:35:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602343#M209654 runiyal 2022-06-19T15:35:06Z https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602344#M209655 <P>must be missing our something in the syntax but if I just use the OR between two searches like below I am getting&nbsp;<STRONG>Error in 'search' command: Unable to parse the search: unbalanced parentheses.</STRONG></P><P><FONT face="courier new,courier"><STRONG>(&lt;my search 1&gt; OR &lt;my search 2&gt;)</STRONG></FONT></P><P>&nbsp;I have provided the complete search command above in reply to Renjith.</P> Sun, 19 Jun 2022 15:44:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-Merge-two-query-resultsets/m-p/602344#M209655 runiyal 2022-06-19T15:44:55Z