https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88405#M22612 <P>Error='The arguments to the 'searchmatch' function are invalid.<BR /> Another idea?</P> Fri, 12 Oct 2012 12:51:17 GMT rechteklebe 2012-10-12T12:51:17Z https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88403#M22610 <P>Hello, </P> <P>i have two searches where the text expressions are different(without fields) (Login Successful and Unsuccessful). I'd like to have the amount of user divided by country</P> <OL> <LI>index=123 sourcetype=123 country=* "Login successful" | stats count by country</LI> <LI>index=123 sourcetype=123 country=* "Login unsuccessful" | stats count by country</LI> </OL> <P>Now i would like to merge this two searches in one chart divided by the country<BR /> The table should look like: </P> <P>Columns are "Country" "Login Successful" "Login unsuccessful" <BR /><BR /> 1st row for example: DE 20 5</P> <P>I tried to use following search:</P> <P>index="123" sourcetype="123" "Login successful" OR "Login unsuccessful" <BR /> |eval Successful_Logins=searchmatch("Login successful")<BR /> |eval Unsuccessful_Logins=searchmatch("Login unsuccessful")<BR /> |stats Successful_Logins Unsuccessful Logins by country</P> <P>How i can merge two searches without fields (no fields are used for "Login (un)successful")?</P> <P>Thank you in advance!</P> Mon, 28 Sep 2020 12:37:10 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88403#M22610 rechteklebe 2020-09-28T12:37:10Z https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88404#M22611 <P>You can use searchmatch and eval in your stats expression.</P> <PRE><CODE>index=123 sourcetype=123 "Login successful" OR "Login unsuccessful" | stats count(eval(searchmatch("Login successful"))) as Successful_Logins count(eval(searchmatch("Login unsuccessful"))) as Unsuccessful_Logins by country </CODE></PRE> Fri, 12 Oct 2012 12:43:46 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88404#M22611 dart 2012-10-12T12:43:46Z https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88405#M22612 <P>Error='The arguments to the 'searchmatch' function are invalid.<BR /> Another idea?</P> Fri, 12 Oct 2012 12:51:17 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88405#M22612 rechteklebe 2012-10-12T12:51:17Z https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88406#M22613 <P>This exact search worked for me against Windows Security Log Data<BR /> <CODE>*| stats count(eval(searchmatch("Success Audit"))) as Successful_Logins count(eval(searchmatch("Fail* Audit"))) as Unsuccessful_Logins</CODE></P> Fri, 12 Oct 2012 12:54:24 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88406#M22613 dart 2012-10-12T12:54:24Z https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88407#M22614 <P>Can you post the exact search you are running? What version of Splunk?</P> Fri, 12 Oct 2012 12:55:02 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88407#M22614 dart 2012-10-12T12:55:02Z https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88408#M22615 <P>sorry it was my fault. now your search is working fine! Thanks!</P> Fri, 12 Oct 2012 12:59:47 GMT https://community.splunk.com/t5/Splunk-Search/merge-two-searches-without-available-fields/m-p/88408#M22615 rechteklebe 2012-10-12T12:59:47Z