Splunk Search

Can you help me with my subsearch?

jip31
Builder

Hello

I try to combine the 2 queries below

QUERY 1

    index="ai-wkst-wineventlog-fr" sourcetype=XmlWinEventLog source="XmlWinEventLog:Application"
    Level=1 OR Level=3 Name=* 
    | dedup _time Name 
    | stats count as Erreurs by host| sort - Erreurs limit=10 

QUERY 2

 index="ai-wkst-windows-fr" sourcetype=WinRegistry key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
        OR 
        key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" 
    | eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion",data, null), 
        Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null) 

I want to stats the event like this:

For one hostname, I want to count errors (query 1) by OS and by Build (query 2).

I tried something like this, but it doesn't work:

index="ai-wkst-wineventlog-fr" sourcetype=XmlWinEventLog source="XmlWinEventLog:Application"
Level=1 OR Level=3 Name=* 
| dedup _time Name 
| stats count as Erreurs by host| sort - Erreurs limit=10 |append 
    [ search index="ai-wkst-windows-fr" sourcetype=WinRegistry key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
        OR 
        key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId" 
    | eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion",data, null), 
        Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null) 
    | stats latest(OS) as OS latest(Build) as Build by host, Erreurs ] 
| stats values(OS) as OS values(Build) as Build by host, Erreurs|

Could you help me please??

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!