Can I combine 2 queries?

Ash1 · ‎10-19-2022

Below is my query1:

index=adc  source=abc  "FilesTrasfered DO980"  |timechart span=1d count  |stats count as D0980 Files

query2:

index=adc  source=abc  "FilesTrasfered DO981"  |timechart span=1d count  |stats count as D0981Files

i tried to combine 2 queries and get the result in table format, so i used append command, but i am getting result in 2 different rows.

DO980 Files	DO981 Files
500
	230

But i want to get the results in the same row like shown in below format:

DO980 Files	DO981 Files
500	230

bowesmana · ‎10-19-2022

These queries seem a little odd

index=adc  source=abc  "FilesTrasfered DO980"
|timechart span=1d count
|stats count as D0980 Files

this search for example is counting the events per day with that matching string and then you are counting the number of days, it's not actually counting the number of events - is that what you want?

As to combining the searches - this is the basic combination

index=adc  source=abc  ("FilesTrasfered DO980" OR "FilesTrasfered DO981")
| eval type=if(match(_raw, "D0980"), "D0980", "D0981")
| timechart span=1d count by type
| stats count(*) as *

however, if you are looking to count the number of events then

index=adc  source=abc  ("FilesTrasfered DO980" OR "FilesTrasfered DO981")
| eval type=if(match(_raw, "D0980"), "D0980", "D0981")
| stats count by type
| transpose 0 header_field=type

Can I combine 2 queries?

using Splunk Enterprise

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Can I combine 2 queries?

using Splunk Enterprise

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers