Re: Can you combine fields from multiple search in...

roopasree · ‎06-12-2018

Hi

I'm trying to combine fields in multiple search result in one output table as overall result, for example:

Search 1 result
Date,open ,close

Search 2 result
incident ,type1,result

Output table
Date,open ,close,incident ,type1,result

Hope question is clear

Thanks

PowerPacked · ‎06-12-2018

Hi @roopasree

There should be a common field in main & sub search to map the results correctly,

if you want to just append the columns use the above answer ----- appendcols, append commands should work for that.

if you want to map the results between main and sub search based on a specific field ----- join command should work for you.

main search | fields date,open,close,incidentnum | join incidentnum [search subsearch | fields incident,type1,result,incidentnum] | stats c by date,open,close,incidentnum,incident,type1,result

Thanks

jowenssi · ‎06-12-2018

Sure, just use | appendcols

search foo | fields date,open,close | appendcols [ search bar | fields incident,type1,result]

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Appendcols

pradeepkumarg · ‎06-12-2018

How will you know what rows from result 1 relate to what rows in result 2? Is there not a common field between the two datasets?

roopasree · ‎06-13-2018

@gpradeepkumarreddy yes there is no comman field among two datasets

Can you combine fields from multiple search in one table?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Can you combine fields from multiple search in one table?

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES