https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86887#M22187 <P>Since they are over the same time range, append would work. If you find there are more than 1 value for each status and count (ex. 13 and 402 for countA with status 500) you can replace values() with max() or latest().</P> <P><CODE>host="server01" OR host="server03" source="/opt/httpd/logs/access_log" | stats count by status | rename count AS countA | append[ search host="server13" OR host="server14" source="/data/logs/apache/access_log" | stats count by status | rename count AS countB ] | stats values(countA) as countA values(countB) as countB by status</CODE></P> Mon, 14 Jan 2013 21:08:24 GMT alacercogitatus 2013-01-14T21:08:24Z https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86886#M22186 <P>Hello, </P> <P>I have searched around, but I haven't found an example that has shown me the way.</P> <P>What I am trying to do is a search on one location, and compare the stats with another location. </P> <P>Here are the two searches: </P> <PRE><CODE>host="server01" OR host="server03" source="/opt/httpd/logs/access_log" | stats count by status | rename count AS countA </CODE></PRE> <P>and </P> <PRE><CODE>host="server13" OR host="server14" source="/data/logs/apache/access_log" | stats count by status | rename count AS countB </CODE></PRE> <P>I would like to output this information to a csv file that would look like this, using the static error code as one column, and then the variables countA and countB:</P> <PRE><CODE>status,countA,countB 200,563805,6345 206,10,1345 301,33529,345 302,84470,673468 304,1747,46 400,42,23 403,36,346 404,25,46 500,29,45 502,2,345 </CODE></PRE> <P>The best that I was able to do was to get them all into the file, with duplicate entries for the status codes...</P> <P>Any ideas?</P> Mon, 14 Jan 2013 21:00:34 GMT https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86886#M22186 casspugh 2013-01-14T21:00:34Z https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86887#M22187 <P>Since they are over the same time range, append would work. If you find there are more than 1 value for each status and count (ex. 13 and 402 for countA with status 500) you can replace values() with max() or latest().</P> <P><CODE>host="server01" OR host="server03" source="/opt/httpd/logs/access_log" | stats count by status | rename count AS countA | append[ search host="server13" OR host="server14" source="/data/logs/apache/access_log" | stats count by status | rename count AS countB ] | stats values(countA) as countA values(countB) as countB by status</CODE></P> Mon, 14 Jan 2013 21:08:24 GMT https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86887#M22187 alacercogitatus 2013-01-14T21:08:24Z https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86888#M22188 <P>OK - this post helped me. </P> <BLOCKQUOTE> <P><A href="http://splunk-base.splunk.com/answers/51740/comparing-results-from-two-searches/62359">http://splunk-base.splunk.com/answers/51740/comparing-results-from-two-searches/62359</A></P> </BLOCKQUOTE> <P>I was able to use this search to obtain the result I wanted. It takes about 45s to run though, so if anyone has a better idea, I am all ears!</P> <PRE><CODE>host="server01" OR host="server03" source="/opt/httpd/logs/access_log" | stats count by status | rename count AS countA | appendcols [ search ( host="server13" OR host="server14" source="/data/logs/apache/access_log" )| stats count by status | rename count AS countB ] | outputcsv combinedstats.csv </CODE></PRE> Mon, 14 Jan 2013 21:13:39 GMT https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86888#M22188 casspugh 2013-01-14T21:13:39Z https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86889#M22189 <P>Thanks! This does work too! I will compare the two searches to see if there are any differences!</P> Mon, 14 Jan 2013 21:18:00 GMT https://community.splunk.com/t5/Splunk-Search/2-searches-1-csv/m-p/86889#M22189 casspugh 2013-01-14T21:18:00Z