All Apps and Add-ons

Combining two searches

Deepz2612
Explorer

Hi,
I have 2 searches and the results are as below
1st search result:
xyz 200 400 500 600 502
Add 0 1 0 0 0
Delete 0 2 1 3 4

2nd search result:
wer 200 400 500 600 502
Add_call 0 1 0 0 0
Now_call 0 2 1 3 4

Kindly help!!

Tags (1)
0 Karma
1 Solution

renjith_nair
Legend

@Deepz2612 ,

OK based on the comments try ,

"your base search to get API and Service events"
|eval _tmp=Service."#".api|chart count over _tmp by response_code
|rex field=_tmp "(?<Service>.+)#(?<api>.+)"|fields Service,api,*
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
Legend

@Deepz2612 ,

OK based on the comments try ,

"your base search to get API and Service events"
|eval _tmp=Service."#".api|chart count over _tmp by response_code
|rex field=_tmp "(?<Service>.+)#(?<api>.+)"|fields Service,api,*
Happy Splunking!
0 Karma

renjith_nair
Legend

@Deepz2612 ,
so did you check why this is not working? It works for a test data, so we should look into your events. Do you see some data for
your base search Service=* api=* |head 10 |table Service api response_code|eval tmp=Service."#".api

Happy Splunking!
0 Karma

Deepz2612
Explorer

This worked!

0 Karma

jvishwak
Path Finder

Can you try combing API and Service values together (with some delimiter) and then run chart command: like:
eval X = Api . "/ ". Service | Chart values(total) over X by response_code
After this you can split the combined value in separate fields.

0 Karma

Deepz2612
Explorer

Nope this is not working..
The concatenation and chart over concatenated field is fetching no results..
So both the above suggestions are not working..

0 Karma

renjith_nair
Legend

@Deepz2612,

  • Are these (api,service) part of the same event or different events?
  • Are the count going to be same always for both API/SERVICE? If count over API is different from SERVICE, how do you want to represent the count in the final result?
  • How do you relate API to service ? i.e. Add to add_call , delete to delete_call etc?
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...