- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Re: Combine results of multiple queries and produc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Combine results of multiple queries and produce the result
Hi, I have a weird requirement where I want to find out -
If a user as signed into app1, then count them in results. Below is the query which shows signed into app1-
index=test
| search apiKey=XXXXX
| search (event_name=cable.signin.success AND app_version="1.0.1")
BUT if the same user has signed into app1 and then signed into app2 exclude them from results. Below is the query which shows user signed into app2
index=test
| search apiKey=XXXXX
| search (event_name=cable.signin.success AND app_version="1.0.2")
Once that is done I want to dedup the customers (field - uid) and then show the result.
Do i need to make use of sub search or is there a better way to do this? Let me know if someone can help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @shashank_24,
Try this:
index=test apiKey=XXXXX event_name=cable.signin.success AND (app_version="1.0.1" OR app_version="1.0.2")
| stats values(app_version) as app_version by uid
| where app_version="1.0.1"
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @manjunathmeti I don't think that is quite right. It gives me the result like this as well -
UID count app_version
| 123456 | 47 | 1.0.1 1.0.2 |
| 6453647 | 44 | 1.0.1 1.0.2 |
| 65373890 | 36 | 1.0.1 1.0.2 |
Basically what i would want is count of users who have logged into app1 and then count of those who login to app1 and then without logging out logs into app2 as well. Final result will be difference of above 2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=test apiKey=XXXXX event_name=cable.signin.success AND (app_version="1.0.1" OR app_version="1.0.2")
| stats values(app_version) as app_version by uid
| eval app_version=mvjoin(app_version, ",")
| stats count(eval(app_version="1.0.1")) as count1, count(eval(app_version="1.0.1,1.0.2")) as count2
| eval result=count1-count2
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
