Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine the two search commands output to get the desired result

harshal_chakran
Builder
‎02-05-2014 05:05 AM

Hi,

I have one search command which gives the output in table as shown below:

parameter1 value1

param1 10

param2 20

param3 30

param4 40

param5 50

And other serach which gives the output as:-

parameter2 value2

param7 10

param10 20

param1 30

param2 40

param4 50

param17 60

param5 70

param20 80

param3 90

param8 100

I want the output as :-

parameter value1 value2

param1 10 30

param2 20 40

param3 30 90

param4 40 50

param5 50 70

I am trying to implement one search command by appending both the searches to get the provided result. Only first command parameters should taken from second command to form the final result.

Please Help...!!!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-05-2014 07:52 AM

I guess you can try join command as follows

<your first search giving parameter1, value1> | rename parameter1 as parameter
| join parameter [search <your second search giving parameter2 and value2> | rename parameter2 as parameter] | table parameter, value1, value2

Other option you can try is appendcols but it has come limitations

View solution in original post

Reply
Solved! Jump to solution

jpass
Contributor
‎02-05-2014 08:06 AM

please share the searches you use to generate the two different sets of output.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-05-2014 07:52 AM

I guess you can try join command as follows

<your first search giving parameter1, value1> | rename parameter1 as parameter
| join parameter [search <your second search giving parameter2 and value2> | rename parameter2 as parameter] | table parameter, value1, value2

Other option you can try is appendcols but it has come limitations

Reply
Solved! Jump to solution

Rocket66
Communicator
‎02-05-2014 05:52 AM

It's difficult to find a solution without knowing the searches 🙂

But some approach is to combine the 2 searches with "OR" and then pipe the result and make a "stats count" on that values "by parameter" ... and then do a "mvexpand" on that multivalues.

But this is a very rough approach 🙂

Greetz, Robert

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...