https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154237#M43364 <P>I can understand your frustration, I have got Splunk- slapped many times. Try the updated options which definitely should work (provided your individual queries were working).</P> Tue, 18 Feb 2014 17:08:26 GMT somesoni2 2014-02-18T17:08:26Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154229#M43356 <P>I have the two separate queries that I could like to combine into on query without using event types. How can I do this as one query?</P> <P>query 1:<BR /> source=....."labelData= " | stats count</P> <P>query 2:<BR /> source=..... lableData!="" | stats count</P> <P><STRONG>ACTUAL LOGS:</STRONG></P> <PRE><CODE>// NO MATCH [2014-02-18 10:21:53,302](org.mysession.Session-/xxx)([8fae1ec7-39bf-4c0b-97ba-144a55d1510e INFO - MyClass - Parsed info: labelData= labelDataValue= matchedLocale= textLength=2636 // MATCH [2014-02-18 10:24:52,302](org.mysession.Session-/xxx)([8fae1ec7-39bf-4c0b-97ba-144a55d1510e INFO - MyClass - Parsed info: labelData=EN_US labelDataValue=1 matchedLocale= textLength=2636 </CODE></PRE> Mon, 17 Feb 2014 23:03:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154229#M43356 jaj 2014-02-17T23:03:51Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154230#M43357 <P>Try this (assuming labelData is an extracted field for you and both query uses same source)</P> <PRE><CODE>source=yoursource | stats count(eval(isnull(labelData))) as CountBlank, count(eval(isnotnull(labelData))) as CountValues </CODE></PRE> <P>OR (in case upper one doesn't work)</P> <PRE><CODE>source=yoursource | stats count(eval(labelData="")) as CountBlank, count(eval(labelData!="") as CountValues </CODE></PRE> <H2>Update: Another Option</H2> <PRE><CODE>source=yoursource | stats count(eval(len(labelData)=0)) as CountBlank, count(eval(len(labelData)!=0)) as CountValues </CODE></PRE> <H2>2nd Update:</H2> <P>This should work (work around)</P> <PRE><CODE>source=yoursource "labelData= " | stats count as CountBlank | appendcols [search source=yoursource lableData!="" | stats count as CountValues] </CODE></PRE> Tue, 18 Feb 2014 14:58:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154230#M43357 somesoni2 2014-02-18T14:58:39Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154231#M43358 <P>cool. thanks for the reply. i was able to get second part of your query to work. however, the first part doesn't work. please see my updates on how things are getting logged. for some reason I can't match misses like labelData="". instead I have to match "labelData= " but that was only working for my original query. if I put that into the first part of your query it wont' work for some reason</P> Tue, 18 Feb 2014 15:43:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154231#M43358 jaj 2014-02-18T15:43:09Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154232#M43359 <P>Did you try both the options that I provided? especially the first one?</P> Tue, 18 Feb 2014 16:16:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154232#M43359 somesoni2 2014-02-18T16:16:40Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154233#M43360 <P>Since all records will either have labelData="" or labelDate!="", so one work around will be:<BR /> source=yoursource | stats count as Total count(eval(isnotnull(labelData))) as CountValues | eval CountBlank=Total-CountValues | fields - Total</P> Tue, 18 Feb 2014 16:19:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154233#M43360 somesoni2 2014-02-18T16:19:37Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154234#M43361 <P>the first query isn't working either. the section count(eval(isnull(matchedParsePatterns))) </P> <P>brings back all instances (matches and n0 matches) i.e. labelData= as well as labelData=somevalue</P> Tue, 18 Feb 2014 16:24:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154234#M43361 jaj 2014-02-18T16:24:49Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154235#M43362 <P>It seems a blank "" is getting assigned instead on NULL which I was thinking. Try the option 3 I provided, should work based on observations your provided.</P> Tue, 18 Feb 2014 16:31:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154235#M43362 somesoni2 2014-02-18T16:31:10Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154236#M43363 <P>updated logs...i can't figure out this one for the life of me. i tried your update . the second part works fine. the blank ones doesn't. what is the deal with splunk and having issues matching "log msg labelData= " as opposed to "log msg labelData=EN_US"? i can' figure out why splunk messes this up? i have triple checked everything on my side.</P> Tue, 18 Feb 2014 16:59:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154236#M43363 jaj 2014-02-18T16:59:12Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154237#M43364 <P>I can understand your frustration, I have got Splunk- slapped many times. Try the updated options which definitely should work (provided your individual queries were working).</P> Tue, 18 Feb 2014 17:08:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154237#M43364 somesoni2 2014-02-18T17:08:26Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154238#M43365 <P>That last workaround worked. Not sure why the others aren't working. It's bizarre. Thanks for not giving up on me. <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span> Thanks again!</P> Tue, 18 Feb 2014 17:28:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154238#M43365 jaj 2014-02-18T17:28:44Z https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154239#M43366 <P>one last ask, how can I get them as separate rows so that I can put them in a pie chart for display? i tried append but no go</P> Tue, 18 Feb 2014 17:35:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-combine-two-queries-into-one-without-using-eventtypes/m-p/154239#M43366 jaj 2014-02-18T17:35:04Z