Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I combine 2 queries?

Ash1
Communicator
‎10-19-2022 06:22 PM

Below is my query1:

index=adc  source=abc  "FilesTrasfered DO980"  |timechart span=1d count  |stats count as D0980 Files



query2:

index=adc  source=abc  "FilesTrasfered DO981"  |timechart span=1d count  |stats count as D0981Files



i tried to combine 2 queries and get the result in table format, so i used append command, but i am getting result  in 2 different rows.

DO980 Files DO981 Files
500  
  230


But i want to get the results in the same row like shown in below format:

DO980 Files DO981 Files
500 230
Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-19-2022 06:38 PM

These queries seem a little odd

 

index=adc  source=abc  "FilesTrasfered DO980"
|timechart span=1d count
|stats count as D0980 Files

 

this search for example is counting the events per day with that matching string and then you are counting the number of days, it's not actually counting the number of events - is that what you want?

As to combining the searches - this is the basic combination

index=adc  source=abc  ("FilesTrasfered DO980" OR "FilesTrasfered DO981")
| eval type=if(match(_raw, "D0980"), "D0980", "D0981")
| timechart span=1d count by type
| stats count(*) as *

 however, if you are looking to count the number of events then 

index=adc  source=abc  ("FilesTrasfered DO980" OR "FilesTrasfered DO981")
| eval type=if(match(_raw, "D0980"), "D0980", "D0981")
| stats count by type
| transpose 0 header_field=type
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...