Re: Can you combine fields from multiple search in...

roopasree · ‎06-12-2018

Hi

I'm trying to combine fields in multiple search result in one output table as overall result, for example:

Search 1 result
Date,open ,close

Search 2 result
incident ,type1,result

Output table
Date,open ,close,incident ,type1,result

Hope question is clear

Thanks

PowerPacked · ‎06-12-2018

Hi @roopasree

There should be a common field in main & sub search to map the results correctly,

if you want to just append the columns use the above answer ----- appendcols, append commands should work for that.

if you want to map the results between main and sub search based on a specific field ----- join command should work for you.

main search | fields date,open,close,incidentnum | join incidentnum [search subsearch | fields incident,type1,result,incidentnum] | stats c by date,open,close,incidentnum,incident,type1,result

Thanks

jowenssi · ‎06-12-2018

Sure, just use | appendcols

search foo | fields date,open,close | appendcols [ search bar | fields incident,type1,result]

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Appendcols

pradeepkumarg · ‎06-12-2018

How will you know what rows from result 1 relate to what rows in result 2? Is there not a common field between the two datasets?

roopasree · ‎06-13-2018

@gpradeepkumarreddy yes there is no comman field among two datasets

Can you combine fields from multiple search in one table?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!