Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Combine results of multiple queries and produce the result

shashank_24
Path Finder
‎03-16-2021 11:52 AM

Hi, I have a weird requirement where I want to find out -

If a user as signed into app1, then count them in results. Below is the query which shows signed into app1-

 

index=test
| search  apiKey=XXXXX
| search (event_name=cable.signin.success AND app_version="1.0.1")

 

BUT if the same user has signed into app1 and then signed into app2 exclude them from results. Below is the query which shows user signed into app2

 

index=test
| search  apiKey=XXXXX
| search (event_name=cable.signin.success AND app_version="1.0.2")

 

Once that is done I want to dedup the customers (field - uid) and then show the result.

Do i need to make use of sub search or is there a better way to do this? Let me know if someone can help

Labels (2)
0 Karma
Reply

manjunathmeti
Champion
‎03-16-2021 01:50 PM

hi @shashank_24,

Try this:

 

index=test apiKey=XXXXX event_name=cable.signin.success AND (app_version="1.0.1" OR app_version="1.0.2") 
| stats values(app_version) as app_version by uid 
| where app_version="1.0.1"

 

 

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply

shashank_24
Path Finder
‎03-16-2021 02:19 PM

Hi @manjunathmeti I don't think that is quite right. It gives me the result like this as well -

UID count app_version

12345647
1.0.1
1.0.2
645364744
1.0.1
1.0.2
6537389036
1.0.1
1.0.2

 

Basically what i would want is count of users who have logged into app1 and then count of those who login to app1 and then without logging out logs into app2 as well. Final result will be difference of above 2.

0 Karma
Reply

manjunathmeti
Champion
‎03-16-2021 02:31 PM

Try this:

index=test apiKey=XXXXX event_name=cable.signin.success AND (app_version="1.0.1" OR app_version="1.0.2") 
| stats values(app_version) as app_version by uid 
| eval app_version=mvjoin(app_version, ",")
| stats count(eval(app_version="1.0.1")) as count1, count(eval(app_version="1.0.1,1.0.2")) as count2
| eval result=count1-count2
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...