All Apps and Add-ons

Combining two searches

Deepz2612
Explorer

Hi,
I have 2 searches and the results are as below
1st search result:
xyz 200 400 500 600 502
Add 0 1 0 0 0
Delete 0 2 1 3 4

2nd search result:
wer 200 400 500 600 502
Add_call 0 1 0 0 0
Now_call 0 2 1 3 4

Kindly help!!

Tags (1)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@Deepz2612 ,

OK based on the comments try ,

"your base search to get API and Service events"
|eval _tmp=Service."#".api|chart count over _tmp by response_code
|rex field=_tmp "(?<Service>.+)#(?<api>.+)"|fields Service,api,*
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@Deepz2612 ,

OK based on the comments try ,

"your base search to get API and Service events"
|eval _tmp=Service."#".api|chart count over _tmp by response_code
|rex field=_tmp "(?<Service>.+)#(?<api>.+)"|fields Service,api,*
Happy Splunking!
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@Deepz2612 ,
so did you check why this is not working? It works for a test data, so we should look into your events. Do you see some data for
your base search Service=* api=* |head 10 |table Service api response_code|eval tmp=Service."#".api

Happy Splunking!
0 Karma

Deepz2612
Explorer

This worked!

0 Karma

jvishwak
Path Finder

Can you try combing API and Service values together (with some delimiter) and then run chart command: like:
eval X = Api . "/ ". Service | Chart values(total) over X by response_code
After this you can split the combined value in separate fields.

0 Karma

Deepz2612
Explorer

Nope this is not working..
The concatenation and chart over concatenated field is fetching no results..
So both the above suggestions are not working..

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@Deepz2612,

  • Are these (api,service) part of the same event or different events?
  • Are the count going to be same always for both API/SERVICE? If count over API is different from SERVICE, how do you want to represent the count in the final result?
  • How do you relate API to service ? i.e. Add to add_call , delete to delete_call etc?
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...