Say I have two scheduled reports with results like:
report1 - source destination score1
report2 - source destination score2
how can I join the results of these two scheduled reports so that I can see
combined report: source destination score1 score2
(note, the actual reports are far more complex and I cannot simply combine the queries to make one new report)
I have considered (and solved) writing the output to a lookup table and doing the joins from those. There is some appeal to that, but I would like to know how to do it without lookup tables.
you sure can!
I would try to use loadjob
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Loadjob
| loadjob savedsearch="username:appname:report1"|fields source destination score1|join source destination [| loadjob savedsearch="username:appname:report2"|fields source destination score2]
tweak as needed.
Have a look at the | savedsearch
or |loadjob
commands
Basically you can run
| loadjob savedsearch="<user-string>:<app-string>:report1"| append [| loadjob savedsearch="<user-string>:<app-string>:report2"]
you sure can!
I would try to use loadjob
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Loadjob
| loadjob savedsearch="username:appname:report1"|fields source destination score1|join source destination [| loadjob savedsearch="username:appname:report2"|fields source destination score2]
tweak as needed.
Works great! Thanks cmerriman!