How could I append the subsearch result with diffe...

jpeng5068 · ‎06-05-2015

Hi,

I am trying to combine two searches into one table with different fields name. for example, I have error source file A, have the filed errorcode with "codeA, codeB, codeC...", source file B have all the successful transaction records with the field name transnum, I want to have a table with the error count split by error code, and the total successful transactions count. The format is like this:

codeA xx
codeB xx
codeC xx
transactions xx

I tried the search:

source=A | stats count by errorcode | append [ search source=B | stats count(transnum) by count ]

The total transaction count will show at the last line, but the name column is empty.
errorcode count
codeA xx
codeB xx
codeC xx
xx

How could I add the name "transactions" to the last row of the search result?

jpeng5068 · ‎06-09-2015

That works, Thank you!

acharlieh · ‎06-05-2015

eval lets you set fields to calculations or to fixed arbitrary values. Use it within your appended search, and you should be all set:

source=A | stats count by errorcode | append [ search source=B | stats count(transnum) as count | eval errorcode="transactions" ]

How could I append the subsearch result with different fields

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM