Splunk Search

How could I append the subsearch result with different fields

jpeng5068
New Member

Hi,

I am trying to combine two searches into one table with different fields name. for example, I have error source file A, have the filed errorcode with "codeA, codeB, codeC...", source file B have all the successful transaction records with the field name transnum, I want to have a table with the error count split by error code, and the total successful transactions count. The format is like this:

codeA xx
codeB xx
codeC xx
transactions xx

I tried the search:

source=A | stats count by errorcode | append [ search source=B | stats count(transnum) by count ]

The total transaction count will show at the last line, but the name column is empty.
errorcode count
codeA xx
codeB xx
codeC xx
xx

How could I add the name "transactions" to the last row of the search result?

Tags (2)
0 Karma

jpeng5068
New Member

That works, Thank you!

0 Karma

acharlieh
Influencer

eval lets you set fields to calculations or to fixed arbitrary values. Use it within your appended search, and you should be all set:

source=A | stats count by errorcode | append [ search source=B | stats count(transnum) as count | eval errorcode="transactions" ]
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...