Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you combine two searches?

Mike6960
Path Finder
‎03-28-2019 09:16 AM

I have two searches that work fine, but I want to show them in one dashboard. I have these two

1-....search....:

 |stats count values(Message.DocumentId) as "Doumentid" by cbatchid

2-....search....

| stats count(eval('message.information'="Sent to ESB")) as Sent,count(eval('message.information'!="Sent to ESB")) as NOTSENT by message.x-cak-messageid |  eval Status=if(Sent=1,"OK","NOK")

Index, source etc. are the same, the searches only contain which index en source to search in. How can I combine the two ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Oracle
Explorer
‎03-28-2019 07:25 PM

Try this search..

| makeresults
| eval id="1"
| eval batch="2013"
| appendcols [| makeresults | eval success=1
| eval failure=4
| eval message=Thisissample
| eval Status=if(success=1,"OK","NOK")]

It works for me..

Note: You can use either "appendcols, append, join" depending on the results you want to output.

https://splunkonbigdata.com/2018/09/05/usage-of-splunk-commands-appendcols/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Oracle
Explorer
‎03-28-2019 07:25 PM

Try this search..

| makeresults
| eval id="1"
| eval batch="2013"
| appendcols [| makeresults | eval success=1
| eval failure=4
| eval message=Thisissample
| eval Status=if(success=1,"OK","NOK")]

It works for me..

Note: You can use either "appendcols, append, join" depending on the results you want to output.

https://splunkonbigdata.com/2018/09/05/usage-of-splunk-commands-appendcols/

0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎03-28-2019 11:48 PM

Thanks, but I dont see how my searches are related to your example. Looks like a totally different search

0 Karma
Reply
Solved! Jump to solution

solarboyz1
Builder
‎03-28-2019 09:41 AM 
search.... |stats count values(Message.DocumentId) as "Doumentid" by cbatchid
append [
 search.... |   stats count(eval('message.information'="Sent to ESB")) as Sent,count(eval('message.information'!="Sent to ESB")) as NOTSENT by message.x-cak-messageid | eval Status=if(Sent=1,"OK","NOK")
]
0 Karma
Reply
Solved! Jump to solution

Mike6960
Path Finder
‎03-28-2019 12:02 PM

Hmmm, I get no results found. So somewhere I am doing something wrong

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...