Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine multiple searches and output results into one CSV file?

mendesjo
Path Finder
‎01-12-2017 12:32 PM

Here is example query..

index=A host=host1 | stats count by host 
| index=B sourcetype=s1 | dedup host | table host 
| index=C sourcetype=s2 | dedup host | table host 
| outputcsv output_file_name

Individually, these queries work, but in a perfect world I'd like to run the queries as one to produce the outputs into one single CSV. Possible? Running the searches separately and appending to same CSV file is fine also.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-12-2017 12:40 PM

how about using append

index=A host=host1 | stats count by host 
|append [ search  index=B sourcetype=s1 | dedup host | table host ]
|append [ search  index=C sourcetype=s2 | dedup host | table host ]
| outputcsv output_file_name

For details on append see here

View solution in original post

Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎01-12-2017 12:40 PM

how about using append

index=A host=host1 | stats count by host 
|append [ search  index=B sourcetype=s1 | dedup host | table host ]
|append [ search  index=C sourcetype=s2 | dedup host | table host ]
| outputcsv output_file_name

For details on append see here

Reply
Solved! Jump to solution

mendesjo
Path Finder
‎01-12-2017 12:55 PM

Thank you for the suggestion, wow that works!

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎01-12-2017 12:40 PM

Try these

(index=A host=host1) OR (index=B sourcetype=s1) OR (index=C sourcetype=s2)
| stats count by host | outputcsv output_file_name

If you don't want count field for index=B and index=C, try this

(index=A host=host1) OR (index=B sourcetype=s1) OR (index=C sourcetype=s2)
| stats count by host | eval count=if(host="host1",count,null())| outputcsv output_file_name
Reply
Solved! Jump to solution

mendesjo
Path Finder
‎01-12-2017 12:57 PM

Thank you for the suggestion, you are correct with your 2nd suggestion I didn't want to count them and I find the append command easier to work with. Thanks again, totally forgot that OR will do it as well. Thanks again!

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...