https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204247#M59348 <P>Saw your reply. There are some logging issues with my data and I'm re-evaluating what I'm using to gauge "success" of any query at this point.</P> <P>If I'm reading your query right, though, this would get me all changes as well as initial values - then essentially dedup when you combine them in a chart?</P> <P>Not sure I have that right.</P> Fri, 10 Jun 2016 20:04:30 GMT jdhux 2016-06-10T20:04:30Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204245#M59346 <P>I have two types of log events:</P> <PRE><CODE>FIELD INITIAL VALUE Message: { "FieldName":"Field_A", "OrganizationID":1234, "FooDocumentId":01, "WasAutoPopulated":true, "FooAutopopulateInitialValueId":567, } FIELD UPDATE Message: { "FieldName":"Field_A", "OrganizationID":1234, "FooDocumentId":01, "FooValueChangeId":890, } </CODE></PRE> <P>that I am trying to chart out using two joined searches.<BR /> FooDocumentId is a primary key, FieldName can have 1 of 10 values.</P> <P>I want to count the number of times when a field had an initial value event AND an update event.</P> <P>I have two separate queries to get these counts (that I think work):</P> <PRE><CODE>FIND INITIAL FIELD VALUE EVENTS WasAutoPopulated=true | chart dc(FooAutopopulateInitialValueId) by OrganizationID, FieldName FIND FIELD UPDATES FooValueChangeId | dedup FooValueChangeID | chart COUNT(eval(FooValueChangeID)) by OrganizationID, FieldName </CODE></PRE> <P>But I've been struggling to get the join right. I've done:</P> <PRE><CODE>FooValueChangeId | dedup FooValueChangeID | join type=left FooDocumentId, FooFieldName, FooOrgID [search FooAutopopulateInitialValueId WasAutoPopulated=true] | chart COUNT(eval(FieldName)) by OrganizationID, FieldName </CODE></PRE> <P>but the DocumentIds for update events don't line up with the DocumentIds for initial value events</P> <P>I'm looking for output like:</P> <PRE><CODE>OrganizationID Field_A Field_B Field_C 1234 2 1 0 0978 4 3 1 etc... </CODE></PRE> <P>where the numbers under each fieldname are the counts of when that field for that organization had both an initial field value event and a field update event.</P> <P>Am I miles off base?</P> <P>Thanks</P> Wed, 08 Jun 2016 19:19:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204245#M59346 jdhux 2016-06-08T19:19:32Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204246#M59347 <P>How about this;</P> <PRE><CODE> FooValueChangeId OR ( FooAutopopulateInitialValueId WasAutoPopulated=true ) | chart count over OrganizationID by FieldName </CODE></PRE> Wed, 08 Jun 2016 22:38:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204246#M59347 Masa 2016-06-08T22:38:00Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204247#M59348 <P>Saw your reply. There are some logging issues with my data and I'm re-evaluating what I'm using to gauge "success" of any query at this point.</P> <P>If I'm reading your query right, though, this would get me all changes as well as initial values - then essentially dedup when you combine them in a chart?</P> <P>Not sure I have that right.</P> Fri, 10 Jun 2016 20:04:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204247#M59348 jdhux 2016-06-10T20:04:30Z https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204248#M59349 <P>Yes, you're correct. </P> <P>The chart will do;<BR /> For Each OrganizationID, count of events per FieldsName. </P> Fri, 10 Jun 2016 23:00:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-chart-the-results-of-two-joined-searches/m-p/204248#M59349 Masa 2016-06-10T23:00:18Z