https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245659#M73220 <P>Thanks, don't forget to vote</P> Sat, 12 Mar 2016 17:54:23 GMT gyslainlatsa 2016-03-12T17:54:23Z https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245655#M73216 <P>Hi, I have three reports, each with a different index.<BR /> And I wanted to join them in the same table.<BR /> Example:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1131i16D2E5D3D3FCE97F/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I have tables A, B and C.<BR /> I wanted to have only one table with four fields: time, K1, K2 and K3.<BR /> But, each table is a search for a different index.</P> <P>Grateful!</P> Thu, 10 Mar 2016 19:03:08 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245655#M73216 renanprado96 2016-03-10T19:03:08Z https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245656#M73217 <P>Depending upon your current queries for each table, there may be different options, so Please provide your current queries. Possible options for you would be to use <CODE>appendcols</CODE> OR <CODE>join</CODE> OR <CODE>append-stats</CODE> combination OR (recommended way if possible) merge all three query in one base search (others involves sub searches).</P> Thu, 10 Mar 2016 19:36:16 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245656#M73217 somesoni2 2016-03-10T19:36:16Z https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245657#M73218 <P>hi,<BR /> try using <CODE>appendcols</CODE> <CODE>(reassures you that the query contains a field that is common to the three indexes)</CODE></P> <PRE><CODE> index=index1 | your search1 |appendcols [search index=index2 | your search2] |appendcols [search index=index3 | your search3 ] </CODE></PRE> <P>see this example with <CODE>appendcols</CODE> </P> <PRE><CODE>index=_internal |stats count as K1 by _time |appendcols [search index=_audit |stats count as K2 by _time] |appendcols [search index="_introspection" |stats count as K3 by _time ] </CODE></PRE> <P>that is the result</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1130iB9647CBDC52B8EAB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 10 Mar 2016 20:08:22 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245657#M73218 gyslainlatsa 2016-03-10T20:08:22Z https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245658#M73219 <P>If your base searches are simple event searches with no pipes, you won't need any append/appendcols or anything that actually joins separate searches. Here is the sort of thing that would achieve this in one search. </P> <PRE><CODE>(index=A &lt;searchTerms for A&gt; ) OR ( index=B &lt;searchTerms for B&gt; ) OR (index=C &lt;searchTerms for C&gt; )| timechart span=7d avg(K1) avg(K2) avg(K3) </CODE></PRE> <P>If one or more of your searches actually contain other search commands, and those commands cannot be safely run (or be tweaked to safely run) on the other two searches output rows, that's the sort of use case where you actually do need append/appendcols/join etc. </P> Thu, 10 Mar 2016 20:28:42 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245658#M73219 sideview 2016-03-10T20:28:42Z https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245659#M73220 <P>Thanks, don't forget to vote</P> Sat, 12 Mar 2016 17:54:23 GMT https://community.splunk.com/t5/Splunk-Search/Dynamic-table-Create-three-tables-in-one/m-p/245659#M73220 gyslainlatsa 2016-03-12T17:54:23Z