Can you combine fields from multiple search in one...

nieivan · ‎10-23-2017

Hi

I'm trying to combine fields in multiple search result in one output table as overall result, for example:

Search 1 result
time1,username1,condition1

Search 2 result
time1,username1,condition2

Output table
time1,username1,condition1,condition2

Hope I make the question clear.

Thanks!

nieivan · ‎10-24-2017

Thanks,

the example of my search are following
search 1

index=devicelogs host=IP address  check_result="*" | table time,user,check_result

result 1

time,user,check_result

search 2

index=devicelogs host=IP address  client_version="*" | table time,user,client_version

result 2

time, user, client_version

I need to combine the results into one table, which looks like:

time,user,check_result,client_version

cmerriman · ‎10-23-2017

can you provide the searches that create those results?

try something like this to create one search:

index=index1 OR index=index2
|eval condition1=if(index="index1",condition,null())
|eval condition2=if(index="index2",condition,null())
|stats values(condition1) as condition1 values(condition2) as condtion2 by time username

or you can use join type=left username time with the two searches. however, there are limits with join.

Can you combine fields from multiple search in one table?

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...