Splunk Search

Can I join fields output from two extensive search queries to create a list of fields on which I can run my final query to get desired result


I am new to splunk and right now trying to create a dashboard for IT.
I have different csv file for AV, PAtch, Software Installed.
I am able to individually upload all the csv files into same index and perform search operation to calculate the AVNotInstalled_status, PatchNotInstalled_status, SoftwareInstalledExpired_status.
But when I want to combine the AV Patch and SW status fields by joining the search queries as I have written, I am not able to get the desired combination.

ANy help Appreciated.

P.S. I am new to the Splunk Help, Please let me know if I need to provide any more information, I cant share data or search queries due to confidentiality agreements

Tags (2)
0 Karma


OKay, here is what you need to give us, at a minimum, for us to be able to help.

1) The format of each of the files, with non-confidential sample data. Mark them each with the code button (101 010) so they stay formatted the way you want them. You could also indent them by four or more spaces and that will work too.

2) What your current code is (mark it as code, same way.)

3) What your current output is (same).

If you understand your data, then you can get us non-confidential versions of it. You really need to break the problem down into a "toy" problem, with a minimum number of fields. The fields can be called "foo" and "bar", or "field1" and "field2", or "animal" and "flower", it doesn't matter.

Before you try to do that, go read my response on this one, which tells you somewhat how to think about writing splunk queries:


0 Karma


Hi @DalJeanis

I had raised another query before this one was answered. I have also added comments as you have suggested.
please refer to that query and provide me guidance.

0 Karma


Hi @MuS can you have a look at my query and suggest me

0 Karma


Hi vikfnu,

without further and much more detailed information, it is impossible to help you. If you cannot share the search nor the data, then there is not much we can do ¯\_(ツ)_/¯

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...