Splunk Enterprise

Combine results of multiple queries and produce the result

shashank_24
Path Finder

Hi, I have a weird requirement where I want to find out -

If a user as signed into app1, then count them in results. Below is the query which shows signed into app1-

 

index=test
| search  apiKey=XXXXX
| search (event_name=cable.signin.success AND app_version="1.0.1") 

 

BUT if the same user has signed into app1 and then signed into app2 exclude them from results. Below is the query which shows user signed into app2

 

index=test
| search  apiKey=XXXXX
| search (event_name=cable.signin.success AND app_version="1.0.2") 

 

Once that is done I want to dedup the customers (field - uid) and then show the result.

Do i need to make use of sub search or is there a better way to do this? Let me know if someone can help

Labels (2)
0 Karma

manjunathmeti
Champion

hi @shashank_24,

Try this:

 

index=test apiKey=XXXXX event_name=cable.signin.success AND (app_version="1.0.1" OR app_version="1.0.2") 
| stats values(app_version) as app_version by uid 
| where app_version="1.0.1"

 

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma

shashank_24
Path Finder

Hi @manjunathmeti I don't think that is quite right. It gives me the result like this as well -

UID count app_version

12345647
1.0.1
1.0.2
645364744
1.0.1
1.0.2
6537389036
1.0.1
1.0.2

 

Basically what i would want is count of users who have logged into app1 and then count of those who login to app1 and then without logging out logs into app2 as well. Final result will be difference of above 2.

0 Karma

manjunathmeti
Champion

Try this:

index=test apiKey=XXXXX event_name=cable.signin.success AND (app_version="1.0.1" OR app_version="1.0.2") 
| stats values(app_version) as app_version by uid 
| eval app_version=mvjoin(app_version, ",")
| stats count(eval(app_version="1.0.1")) as count1, count(eval(app_version="1.0.1,1.0.2")) as count2
| eval result=count1-count2
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!