Column Merging, how to?

bilgin — Wed, 18 May 2011 14:40:32 GMT

The below search script successfully charts one table with two separate set of search results each has the individual columns. Trouble is, we need the column as merged into one column. Note that not each event type has a result, thus some of the events will have null entry.
Does anyone can light my way?
Thanks.
Here is the search script I am using.

eventType="event1" 
| chart count(eval(time<4000)) as event1LessThan4Sec, count as TotalCount1 by siteID
| rename siteID as "ID for 1"
| eval SLAsMet1=event1LessThan4Sec/TotalCount1
| appendcols [ search eventType="event2" 
    | chart count(eval(time<2000)) as event2LessThan2Sec, count as TotalCount2 by siteID
    | rename siteID as "ID for 2"
    | eval SLAsMet2=event2LessThan2Sec/TotalCount2
]

Re: Column Merging, how to?

southeringtonp — Wed, 18 May 2011 15:17:24 GMT

So you just want one field containing the value of either "ID for 1" or "ID for 2", with the assumption that only one of them will contain a value ?

If so, you can always use something like:

| eval siteID=coalesce("ID for 1", "ID for 2")

topic Column Merging, how to? in Splunk Search

Column Merging, how to?

Re: Column Merging, how to?