https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219701#M64562 <P>Hello,</P> <P>I have lot of line with expression like this :</P> <PRE><CODE>code=1 executionTime=n ident=XXX </CODE></PRE> <P>and lot of line with expression like this :</P> <PRE><CODE>code=2 executionTime=m otherIdent=XXX ident=YYYY </CODE></PRE> <P>I would like substract the executionTime of line with code 1 with line in code 2.<BR /> I try with this query but it doesn't work :</P> <PRE><CODE>index=my_index code=1 [search index=my_index code=2 | RENAME executionTime as retrieveExecutionTime| RENAME code as retrieveCode| RENAME ident AS retrieveIdent |RENAME otherIdent as ident| FIELDS ident] | TABLE ident,code, executionTime, retrieveExecutionTime, retrieveCode </CODE></PRE> <P>Columns retrieveExecutionTime, retrieveCode are empty.<BR /> How can I have one line by ident/otherIdent with all necessary information ?</P> <P>Thanks in advance.</P> Mon, 03 Oct 2016 13:16:46 GMT mclane1 2016-10-03T13:16:46Z https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219701#M64562 <P>Hello,</P> <P>I have lot of line with expression like this :</P> <PRE><CODE>code=1 executionTime=n ident=XXX </CODE></PRE> <P>and lot of line with expression like this :</P> <PRE><CODE>code=2 executionTime=m otherIdent=XXX ident=YYYY </CODE></PRE> <P>I would like substract the executionTime of line with code 1 with line in code 2.<BR /> I try with this query but it doesn't work :</P> <PRE><CODE>index=my_index code=1 [search index=my_index code=2 | RENAME executionTime as retrieveExecutionTime| RENAME code as retrieveCode| RENAME ident AS retrieveIdent |RENAME otherIdent as ident| FIELDS ident] | TABLE ident,code, executionTime, retrieveExecutionTime, retrieveCode </CODE></PRE> <P>Columns retrieveExecutionTime, retrieveCode are empty.<BR /> How can I have one line by ident/otherIdent with all necessary information ?</P> <P>Thanks in advance.</P> Mon, 03 Oct 2016 13:16:46 GMT https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219701#M64562 mclane1 2016-10-03T13:16:46Z https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219702#M64563 <P>Please try append command - </P> <PRE><CODE> index=my_index code=1 |append [search index=my_index code=2 | RENAME executionTime as retrieveExecutionTime| RENAME code as retrieveCode| RENAME ident AS retrieveIdent |RENAME otherIdent as ident| FIELDS ident] | TABLE ident,code, executionTime, retrieveExecutionTime, retrieveCode </CODE></PRE> Mon, 03 Oct 2016 16:22:48 GMT https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219702#M64563 inventsekar 2016-10-03T16:22:48Z https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219703#M64564 <P>Try this</P> <PRE><CODE>index=my_index code=1 OR code=2 | streamstats count by code | streamstats window=1 current=f values(executionTime) as retrieveExecutionTime by count | table _time code count executionTime retrieveExecutionTime </CODE></PRE> Mon, 03 Oct 2016 16:22:57 GMT https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219703#M64564 sundareshr 2016-10-03T16:22:57Z https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219704#M64565 <P>Try like this</P> <PRE><CODE>index=myindex (code=1 OR code=2) | fields ident otherIdent code executionTime | eval ident=if(code=1,ident,otherIdent) | eval retrieveIdent=if(code=2,ident,null()) | eval retrieveCode=if(code=2,code,null()) | eval retrieveExecutionTime=if(code=2,executionTime,null()) | stats values(*) as * by ident </CODE></PRE> Mon, 03 Oct 2016 17:11:04 GMT https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219704#M64565 somesoni2 2016-10-03T17:11:04Z https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219705#M64566 <P>Thanks for answer.<BR /> Unfortunatly, it's always empty for retrieve... columns.</P> <P>Regards,</P> Tue, 04 Oct 2016 06:10:53 GMT https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219705#M64566 mclane1 2016-10-04T06:10:53Z https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219706#M64567 <P>Hello;<BR /> I understand idea.<BR /> I have table like this :</P> <BLOCKQUOTE> <P>||code||ident||otherIdent||executionTime||<BR /> |1|i1|oi1|t1|<BR /> |2|X|i1|t2|</P> </BLOCKQUOTE> <P>and I can transform this table like this (with eval)</P> <BLOCKQUOTE> <P>||code||ident||otherIdent||executionTime||id||executionTime1||executionTime2||...||<BR /> |1|i1|oi1|t1|i1|t1|null|...|<BR /> |2|X|i1|t2|i1|null|t2|...|</P> </BLOCKQUOTE> <P>with stats values do only one line.</P> <P>Very good idea. </P> <P>Thank you.</P> Tue, 04 Oct 2016 06:35:35 GMT https://community.splunk.com/t5/Splunk-Search/Search-Advanced-Nested-query-many-line/m-p/219706#M64567 mclane1 2016-10-04T06:35:35Z