Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How could I append the subsearch result with different fields

jpeng5068
New Member
‎06-05-2015 01:06 PM

Hi,

I am trying to combine two searches into one table with different fields name. for example, I have error source file A, have the filed errorcode with "codeA, codeB, codeC...", source file B have all the successful transaction records with the field name transnum, I want to have a table with the error count split by error code, and the total successful transactions count. The format is like this:

codeA xx
codeB xx
codeC xx
transactions xx

I tried the search:

source=A | stats count by errorcode | append [ search source=B | stats count(transnum) by count ]

The total transaction count will show at the last line, but the name column is empty.
errorcode count
codeA xx
codeB xx
codeC xx
xx

How could I add the name "transactions" to the last row of the search result?

Tags (2)
0 Karma
Reply

jpeng5068
New Member
‎06-09-2015 12:02 PM

That works, Thank you!

0 Karma
Reply

acharlieh
Influencer
‎06-05-2015 01:27 PM

eval lets you set fields to calculations or to fixed arbitrary values. Use it within your appended search, and you should be all set:

source=A | stats count by errorcode | append [ search source=B | stats count(transnum) as count | eval errorcode="transactions" ]
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...