Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How could I append the subsearch result with different fields

jpeng5068
New Member
‎06-05-2015 01:06 PM

Hi,

I am trying to combine two searches into one table with different fields name. for example, I have error source file A, have the filed errorcode with "codeA, codeB, codeC...", source file B have all the successful transaction records with the field name transnum, I want to have a table with the error count split by error code, and the total successful transactions count. The format is like this:

codeA xx
codeB xx
codeC xx
transactions xx

I tried the search:

source=A | stats count by errorcode | append [ search source=B | stats count(transnum) by count ]

The total transaction count will show at the last line, but the name column is empty.
errorcode count
codeA xx
codeB xx
codeC xx
xx

How could I add the name "transactions" to the last row of the search result?

Tags (2)
0 Karma
Reply

jpeng5068
New Member
‎06-09-2015 12:02 PM

That works, Thank you!

0 Karma
Reply

acharlieh
Influencer
‎06-05-2015 01:27 PM

eval lets you set fields to calculations or to fixed arbitrary values. Use it within your appended search, and you should be all set:

source=A | stats count by errorcode | append [ search source=B | stats count(transnum) as count | eval errorcode="transactions" ]
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...