https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241097#M71702 <P>Thanks for the response! Really appreciate it!<BR /> That got me what I needed...</P> <P>For anyone else who happens apon this string, I had to make two changes to get it to work<BR /> 1) had to add <CODE>search</CODE> after the <CODE>appendcols [</CODE><BR /> 2) had to move the <CODE>| fields - count</CODE> to OUTSIDE of the <CODE>]</CODE>.</P> <P>So the final serach looked like:</P> <PRE><CODE>host=ServerNumber1 sourcetype=log adventure NOT "Buck" | rename uniqueid as item1 | stats count by item1 | fields - count | appendcols [search host=ServerNumber1 sourcetype=log "Buck" | rename uniqueid as item2 | stats count by item2] | fields - count </CODE></PRE> Thu, 30 Jun 2016 00:40:20 GMT Adam_Berliner_M 2016-06-30T00:40:20Z https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241095#M71700 <P>Afternoon!</P> <P>Hope this isn't too basic of a question here, but I've been striking out on finding a similar search to use as an example.<BR /> I'm basically trying to parse 2 separate results out of the same log entry and display them in a single table.</P> <P><STRONG>Search 1:</STRONG> </P> <PRE><CODE>host=ServerNumber1 sourcetype=log adventure NOT "Buck" | rename uniqueid as item1 | dedup item1 | table item1 </CODE></PRE> <P><STRONG>Search 2:</STRONG> </P> <PRE><CODE>host=ServerNumber1 sourcetype=log "Buck" | rename uniqueid as item2 | dedup item2 | table item2 </CODE></PRE> <P>I'm trying to figure out how to get item1 and item2 in to the same table in separate columns.<BR /> Any help would be appreciated!</P> Wed, 29 Jun 2016 23:15:07 GMT https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241095#M71700 Adam_Berliner_M 2016-06-29T23:15:07Z https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241096#M71701 <P>How do you want the final display? Item1 &amp; Item2 as different columns in your table. See if this gives you what your are looking for</P> <PRE><CODE>host=ServerNumber1 sourcetype=log adventure NOT "Buck" | rename uniqueid as item1 | stats count by item1 | fields - count | appendcols [ host=ServerNumber1 sourcetype=log "Buck" | rename uniqueid as item2 | stats count by item2 | fields - count] </CODE></PRE> Wed, 29 Jun 2016 23:46:53 GMT https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241096#M71701 sundareshr 2016-06-29T23:46:53Z https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241097#M71702 <P>Thanks for the response! Really appreciate it!<BR /> That got me what I needed...</P> <P>For anyone else who happens apon this string, I had to make two changes to get it to work<BR /> 1) had to add <CODE>search</CODE> after the <CODE>appendcols [</CODE><BR /> 2) had to move the <CODE>| fields - count</CODE> to OUTSIDE of the <CODE>]</CODE>.</P> <P>So the final serach looked like:</P> <PRE><CODE>host=ServerNumber1 sourcetype=log adventure NOT "Buck" | rename uniqueid as item1 | stats count by item1 | fields - count | appendcols [search host=ServerNumber1 sourcetype=log "Buck" | rename uniqueid as item2 | stats count by item2] | fields - count </CODE></PRE> Thu, 30 Jun 2016 00:40:20 GMT https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241097#M71702 Adam_Berliner_M 2016-06-30T00:40:20Z https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241098#M71703 <P>What should I do if i want to reduce item2 from item1 and after that see the results as a table?</P> Thu, 08 Sep 2016 12:40:58 GMT https://community.splunk.com/t5/Splunk-Search/How-can-you-display-results-from-2-contrasting-text-searches-in/m-p/241098#M71703 rafasalo 2016-09-08T12:40:58Z