Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Events list of append command

shayhibah
Path Finder
‎10-08-2018 10:30 PM

I have a query like this:

first_query | dedup 1 id | search action=drop | stats count by action, destination | fields action | stats count(eval(action=drop)) |
append [search second_query | dedup 1 id | search action=drop | stats count by action, source | fields action | stats count(eval(action=drop))]

After pressing on "events" tab in search view, I get relevant logs only for the first query and not even 1 log of the second query.
when running each query separately, the first_query gives me 11 events and the second_query gives me 71 events.

How can I get all results of all appended queries (82 events)?

Thanks

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎10-10-2018 10:12 AM

Seems like you are trying to compare the number of distinct destinations that experienced a drop, compared to the number of distinct sources. This can be done in a single combined query, without doing an append at all. Whenever possible, you want to do your searches that way.

If the two searches are returning the exact same records to be counted two different ways, you could do it completely using this format...

( first_query ) OR ( second_query ) 
| dedup id
| search action=drop 
| stats dc(source) as source dc(destination) as destination

On the other hand, if they are different record types, then try something like this...

( first_query ) OR ( second_query )
| eval thequery=case(first_query,"destination", second_query, "source")  
| dedup 1 id thequery
| eval field2=case(first_query,destination, second_query,source)
| search action=drop 
| stats dc(field2) as count by field2
| eval junk=1
| xyseries junk field2 count

Note - If the different searches have different indexes or sourcetype, you could use that distinctive field instead of building the field thequery.

Reply

woodcock
Esteemed Legend
‎01-10-2019 09:32 AM

What he said.

0 Karma
Reply

harishalipaka
Motivator
‎10-08-2018 11:04 PM

hi @shayhibah

did you try like this --

index="_internal" sourcetype=splunkd |head 10 |append [search index="_internal" sourcetype=splunkd_ui_access |head 5]
Thanks
Harish
0 Karma
Reply

shayhibah
Path Finder
‎10-08-2018 11:12 PM

@harishalipaka
Thank you for your response.
This query works great but for some reason mine isn't.
What can be the issue? I don't want to use 'head' in my query since I want to see all results.

0 Karma
Reply

harishalipaka
Motivator
‎10-08-2018 11:17 PM

@shayhibah

ya you can use your own way here i mention head for examples purpose only .Just what i want to told here this is the syntax for how to append that's it.

Thanks
Harish
0 Karma
Reply

shayhibah
Path Finder
‎10-08-2018 11:19 PM

@harishalipaka
I used your syntax (you can see it in the post above) but I does not work for me.

Any suggestions?

0 Karma
Reply

493669
Super Champion
‎10-09-2018 01:43 AM

not sure if your query is working separately as you have to rename stats-eval part else it will give error-

first_query | dedup 1 id | search action=drop | stats count by action, destination | fields action | stats count(eval(action=drop)) as abc
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...