Splunk Search

How do you combine two searches?

Mike6960
Path Finder

I have two searches that work fine, but I want to show them in one dashboard. I have these two

1-....search....:

 |stats count values(Message.DocumentId) as "Doumentid" by cbatchid

2-....search....

| stats count(eval('message.information'="Sent to ESB")) as Sent,count(eval('message.information'!="Sent to ESB")) as NOTSENT by message.x-cak-messageid |  eval Status=if(Sent=1,"OK","NOK")

Index, source etc. are the same, the searches only contain which index en source to search in. How can I combine the two ?

0 Karma
1 Solution

Oracle
Explorer

Try this search..

| makeresults
| eval id="1"
| eval batch="2013"
| appendcols [| makeresults | eval success=1
| eval failure=4
| eval message=Thisissample
| eval Status=if(success=1,"OK","NOK")]

It works for me..

Note: You can use either "appendcols, append, join" depending on the results you want to output.

https://splunkonbigdata.com/2018/09/05/usage-of-splunk-commands-appendcols/

View solution in original post

0 Karma

Oracle
Explorer

Try this search..

| makeresults
| eval id="1"
| eval batch="2013"
| appendcols [| makeresults | eval success=1
| eval failure=4
| eval message=Thisissample
| eval Status=if(success=1,"OK","NOK")]

It works for me..

Note: You can use either "appendcols, append, join" depending on the results you want to output.

https://splunkonbigdata.com/2018/09/05/usage-of-splunk-commands-appendcols/

0 Karma

Mike6960
Path Finder

Thanks, but I dont see how my searches are related to your example. Looks like a totally different search

0 Karma

solarboyz1
Builder
search.... |stats count values(Message.DocumentId) as "Doumentid" by cbatchid
append [
 search.... |   stats count(eval('message.information'="Sent to ESB")) as Sent,count(eval('message.information'!="Sent to ESB")) as NOTSENT by message.x-cak-messageid | eval Status=if(Sent=1,"OK","NOK")
]
0 Karma

Mike6960
Path Finder

Hmmm, I get no results found. So somewhere I am doing something wrong

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...