https://community.splunk.com/t5/Splunk-Search/How-could-I-append-the-subsearch-result-with-different-fields/m-p/137553#M37710 <P>Hi,</P> <P>I am trying to combine two searches into one table with different fields name. for example, I have error source file A, have the filed errorcode with "codeA, codeB, codeC...", source file B have all the successful transaction records with the field name transnum, I want to have a table with the error count split by error code, and the total successful transactions count. The format is like this:</P> <P>codeA xx<BR /> codeB xx<BR /> codeC xx<BR /> transactions xx</P> <P>I tried the search:</P> <P>source=A | stats count by errorcode | append [ search source=B | stats count(transnum) by count ]</P> <P>The total transaction count will show at the last line, but the name column is empty.<BR /> errorcode count<BR /> codeA xx<BR /> codeB xx<BR /> codeC xx<BR /> xx</P> <P>How could I add the name "transactions" to the last row of the search result?</P> Fri, 05 Jun 2015 20:06:44 GMT jpeng5068 2015-06-05T20:06:44Z https://community.splunk.com/t5/Splunk-Search/How-could-I-append-the-subsearch-result-with-different-fields/m-p/137553#M37710 <P>Hi,</P> <P>I am trying to combine two searches into one table with different fields name. for example, I have error source file A, have the filed errorcode with "codeA, codeB, codeC...", source file B have all the successful transaction records with the field name transnum, I want to have a table with the error count split by error code, and the total successful transactions count. The format is like this:</P> <P>codeA xx<BR /> codeB xx<BR /> codeC xx<BR /> transactions xx</P> <P>I tried the search:</P> <P>source=A | stats count by errorcode | append [ search source=B | stats count(transnum) by count ]</P> <P>The total transaction count will show at the last line, but the name column is empty.<BR /> errorcode count<BR /> codeA xx<BR /> codeB xx<BR /> codeC xx<BR /> xx</P> <P>How could I add the name "transactions" to the last row of the search result?</P> Fri, 05 Jun 2015 20:06:44 GMT https://community.splunk.com/t5/Splunk-Search/How-could-I-append-the-subsearch-result-with-different-fields/m-p/137553#M37710 jpeng5068 2015-06-05T20:06:44Z https://community.splunk.com/t5/Splunk-Search/How-could-I-append-the-subsearch-result-with-different-fields/m-p/137554#M37711 <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/eval">eval</A> lets you set fields to <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/CommonEvalFunctions">calculations</A> or to fixed arbitrary values. Use it within your appended search, and you should be all set:</P> <PRE><CODE>source=A | stats count by errorcode | append [ search source=B | stats count(transnum) as count | eval errorcode="transactions" ] </CODE></PRE> Fri, 05 Jun 2015 20:27:31 GMT https://community.splunk.com/t5/Splunk-Search/How-could-I-append-the-subsearch-result-with-different-fields/m-p/137554#M37711 acharlieh 2015-06-05T20:27:31Z https://community.splunk.com/t5/Splunk-Search/How-could-I-append-the-subsearch-result-with-different-fields/m-p/137555#M37712 <P>That works, Thank you!</P> Tue, 09 Jun 2015 19:02:39 GMT https://community.splunk.com/t5/Splunk-Search/How-could-I-append-the-subsearch-result-with-different-fields/m-p/137555#M37712 jpeng5068 2015-06-09T19:02:39Z