Can you combine fields from multiple search in one...

nieivan · ‎10-23-2017

Hi

I'm trying to combine fields in multiple search result in one output table as overall result, for example:

Search 1 result
time1,username1,condition1

Search 2 result
time1,username1,condition2

Output table
time1,username1,condition1,condition2

Hope I make the question clear.

Thanks!

nieivan · ‎10-24-2017

Thanks,

the example of my search are following
search 1

index=devicelogs host=IP address  check_result="*" | table time,user,check_result

result 1

time,user,check_result

search 2

index=devicelogs host=IP address  client_version="*" | table time,user,client_version

result 2

time, user, client_version

I need to combine the results into one table, which looks like:

time,user,check_result,client_version

cmerriman · ‎10-23-2017

can you provide the searches that create those results?

try something like this to create one search:

index=index1 OR index=index2
|eval condition1=if(index="index1",condition,null())
|eval condition2=if(index="index2",condition,null())
|stats values(condition1) as condition1 values(condition2) as condtion2 by time username

or you can use join type=left username time with the two searches. however, there are limits with join.

Can you combine fields from multiple search in one table?

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap

Are you a member of the Splunk Community?

Can you combine fields from multiple search in one table?

OpenTelemetry for Legacy Apps? Yes, You Can!

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

.conf25 Community Recap