Append command not working to combine two searches...

kanj · ‎02-06-2020

Hello there,

Step1:
user software_name dc_today dc_past
A XYZ.exe 1 9
B PQR.exe 2 3
C DTA.exe 0 1

The final result should be:
user software_name dc_today
A XYZ.exe 1

So I am running two similar searches with differences in timespan.
1) Append is not reflecting the sub-search
2) Is there more efficient way for this?

Thanks in advance!
KanJ

to4kawa · ‎02-06-2020

 index=* earliest=-1d 
| stats dc(user) as dc by software_name 
| eval dc_today=if(dc=1, 1, 0) 
| append 
    [ search index=* earliest=-5d 
    | stats dc(user) as dc by software_name 
    | eval dc_past=if(dc=1,1,0)] 
| table user software_name dc_today dc_past

The user of your query is disappear. because stats aggregates.

index=* earliest=-5d 
| stats dc(eval(if(related_time(now(),"-1d") <= _time,user,NULL))) as dc_today dc(user) as dc_past by software_name

Unique user count in software name is above.

The final result should be:
user software_name dc_today
A XYZ.exe 1

What's your logic?

Append command not working to combine two searches with the same result but events occurred in two different timespans

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Append command not working to combine two searches with the same result but events occurred in two different timespans

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases