Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How can I have multiple search results in one alert as joining with | gives only result of last search only?

sumit_it77
New Member
‎09-18-2017 12:08 AM

How can I have multiple search results in one alert as joining with multiple searches with | gives only result of last search only?

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎09-18-2017 06:38 AM

There are very many ways to add results together in splunk. The word join is only one of them, usually not the right one. Join is useful, assuming that there are specific fields in common and you want the information from the two different search parts moved together into a single record.

| append is useful for adding the results of a completely different search onto the end of the results of the current search. For alerts, this is probably what you want. Append has limits, both in terms of time and in terms of number of records that can be returned, but for alerts, you should not approach those limits.

| multisearch is useful for running several simultaneous searches, and has no limits on the number of records returned, but has limits on which commands are available. In general, only distributed streaming commands are allowed - commands that can be executed independently on each indexer. Once you get to the first aggregate command, transforming command, and so on, it has to be outside the multisearch structure. At your level, that is not going to get you anything, so you should consider this command a curiosity rather than a tool until you get pretty good at a mixed search (what I call the "splunk soup method").

Plain old mixed search is usually the best practice. There's a pretty good description of what, how and why here.

https://answers.splunk.com/answers/562855/extracting-timebased-information-from-multiple-joi-1.html

Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2017 06:27 AM

It's hard give a good answer with so little information. Post your current query and we'll try to help.
The join and append commands can be used to combine search results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...