Splunk Search

Combine search and sub search without losing records?

Path Finder

I am performing a search and sub search and would like to combine the results into a single result set. I have run the 2 searches individually and have an idea of what the combined result set should be. I have tried to join, append, appendcol the sub search with all of the different options inner/outer join, overwrite/override=true/false, etc. and in all of these cases, my result set is missing records that should be in there (i.e. combined i should have like 30 unique records but the max I get is 10).

Any idea what might be going on? There are some records that appear in both searches and some that are only in 1. In most cases, it seems like the sub search results are the ones that are missing.

Tags (3)
1 Solution

Path Finder

Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key

View solution in original post

0 Karma

Path Finder

Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key

View solution in original post

0 Karma

Path Finder

I can't share my data, as its private customer data, but i can walk you through it in pseudo code and maybe that will help...

sourcetype=X | Where Var1=a OR (Var2=b OR Var2=d) OR Var3=g | stats count(var1), sum(var2), sum(var3) by var4 | append [search sourcetype=X | Where (Not var1=a) AND (var2=c OR var2=f) | stats count(var1), su(var2), sum(var3) by var4]

The append, combined my result sets, but it resulted in duplicates of var4. So then I added another stats command like: stats sum(var1), sum(var2), sum(var3) by var4. This combined the duplicates and added the values.

That Help?

0 Karma

Contributor

Would you be willing to share an example? I've been battling with this one for a while and it might save some time...thanks!

0 Karma

Motivator

so provide the events samples and query so we can help....

0 Karma

Path Finder

time is not the issue, the sub search runs quickly

The sub search has 9 results/events

0 Karma

Motivator

You might be facing a sub-search limitation. To help you let's know how many events your sub-search has...

0 Karma

Builder

how long does your sub search take to run?

0 Karma