Can I combine 2 queries?

Ash1 · ‎10-19-2022

Below is my query1:

index=adc  source=abc  "FilesTrasfered DO980"  |timechart span=1d count  |stats count as D0980 Files

query2:

index=adc  source=abc  "FilesTrasfered DO981"  |timechart span=1d count  |stats count as D0981Files

i tried to combine 2 queries and get the result in table format, so i used append command, but i am getting result in 2 different rows.

DO980 Files	DO981 Files
500
	230

But i want to get the results in the same row like shown in below format:

DO980 Files	DO981 Files
500	230

bowesmana · ‎10-19-2022

These queries seem a little odd

index=adc  source=abc  "FilesTrasfered DO980"
|timechart span=1d count
|stats count as D0980 Files

this search for example is counting the events per day with that matching string and then you are counting the number of days, it's not actually counting the number of events - is that what you want?

As to combining the searches - this is the basic combination

index=adc  source=abc  ("FilesTrasfered DO980" OR "FilesTrasfered DO981")
| eval type=if(match(_raw, "D0980"), "D0980", "D0981")
| timechart span=1d count by type
| stats count(*) as *

however, if you are looking to count the number of events then

index=adc  source=abc  ("FilesTrasfered DO980" OR "FilesTrasfered DO981")
| eval type=if(match(_raw, "D0980"), "D0980", "D0981")
| stats count by type
| transpose 0 header_field=type

Can I combine 2 queries?

using Splunk Enterprise

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

Can I combine 2 queries?

using Splunk Enterprise

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!