https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310846#M93217 <P>Great! It works now <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 18 Jan 2018 18:27:29 GMT CarmineCalo 2018-01-18T18:27:29Z https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310839#M93210 <P>Splunkers!</P> <P>I need to join the follow inputlookup + event searche in order to have, for each AppID, the full set of month buckets given from the time range picker<BR /> Example:</P> <P>Search 1 (Fromm inputlookup):<BR /> App1<BR /> App2<BR /> ...</P> <P>Search 2 (from index search)<BR /> Month 1<BR /> Month 2<BR /> ...</P> <P>Desired outcome:</P> <P>App1 Month1<BR /> App1 Month2<BR /> App1 ...<BR /> App2 Month1<BR /> App2 Month2<BR /> App2 ...<BR /> ... ...</P> <P>Here the code for the two searches</P> <PRE><CODE>Search 1 | inputlookup DOM_ApplicationCatalogue | search Status="Production" | stats count by ApplicationID Search 2 | search index=Incidents | dedup id_inc | timechart span=1mon count | eval datemonth_year=strftime(_time,"%Y-%m") | fields count datemonth_year] </CODE></PRE> <P>Any help?</P> <P>Tks!<BR /> Carmine</P> Thu, 18 Jan 2018 13:19:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310839#M93210 CarmineCalo 2018-01-18T13:19:47Z https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310840#M93211 <P>you can try something like</P> <PRE><CODE>| inputlookup DOM_ApplicationCatalogue | search Status="Production" | stats count by ApplicationID | appendcols [ search index=Incidents | dedup id_inc | timechart span=1mon count | eval datemonth_year=strftime(_time,"%Y-%m") | fields count datemonth_year] </CODE></PRE> <P>let me know if this helps !</P> Thu, 18 Jan 2018 13:40:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310840#M93211 mayurr98 2018-01-18T13:40:09Z https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310841#M93212 <P>No, unfortunately it's not working...</P> <P>It generate something like (hyp that Month = (Month 1, Month 2)</P> <P>App1 Month 1<BR /> App2 Month 2<BR /> App3 <BR /> App4 <BR /> ...</P> <P>Carmine</P> Thu, 18 Jan 2018 14:04:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310841#M93212 CarmineCalo 2018-01-18T14:04:47Z https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310842#M93213 <P>if you are interested in just desired outcome then you can try something like this I may be wrong...but you will not be able to show count in this because logically linking count is not possible i think<BR /><BR /> app1 month1 <BR /> app1 month2<BR /> app2 month1<BR /> app2 month2<BR /> ..and so on</P> <PRE><CODE>| inputlookup DOM_ApplicationCatalogue | search Status="Production" | stats count by ApplicationID | fields ApplicationID | appendcols [ search index=Incidents | dedup id_inc | timechart span=1mon count | eval datemonth_year=strftime(_time,"%Y-%m") | fields datemonth_year ] | stats list(ApplicationID) as ApplicationID list(datemonth_year) as datemonth_year | mvexpand ApplicationID | mvexpand datemonth_year </CODE></PRE> <P>let me know if this helps!</P> Thu, 18 Jan 2018 14:28:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310842#M93213 mayurr98 2018-01-18T14:28:35Z https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310843#M93214 <P>Now It works!<BR /> Tks!</P> Thu, 18 Jan 2018 14:35:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310843#M93214 CarmineCalo 2018-01-18T14:35:21Z https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310844#M93215 <P>Only one additional thing...</P> <P>list(ApplicationID) create a field with "only" 100 value inside (my list of APpID is 4k+!)<BR /> How can i increase the number of values to listed?<BR /> Unfortunately "limit" option not works with stats...</P> Thu, 18 Jan 2018 15:00:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310844#M93215 CarmineCalo 2018-01-18T15:00:39Z https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310845#M93216 <P>Hey use <CODE>values(ApplicationID) as ApplicationID</CODE></P> Thu, 18 Jan 2018 15:25:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310845#M93216 mayurr98 2018-01-18T15:25:04Z https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310846#M93217 <P>Great! It works now <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 18 Jan 2018 18:27:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-quot-join-quot-two-different-searches-with-no-common/m-p/310846#M93217 CarmineCalo 2018-01-18T18:27:29Z