Splunk Search

How do you combine two searches?

Mike6960
Path Finder

I have two searches that work fine, but I want to show them in one dashboard. I have these two

1-....search....:

 |stats count values(Message.DocumentId) as "Doumentid" by cbatchid

2-....search....

| stats count(eval('message.information'="Sent to ESB")) as Sent,count(eval('message.information'!="Sent to ESB")) as NOTSENT by message.x-cak-messageid |  eval Status=if(Sent=1,"OK","NOK")

Index, source etc. are the same, the searches only contain which index en source to search in. How can I combine the two ?

0 Karma
1 Solution

Oracle
Explorer

Try this search..

| makeresults
| eval id="1"
| eval batch="2013"
| appendcols [| makeresults | eval success=1
| eval failure=4
| eval message=Thisissample
| eval Status=if(success=1,"OK","NOK")]

It works for me..

Note: You can use either "appendcols, append, join" depending on the results you want to output.

https://splunkonbigdata.com/2018/09/05/usage-of-splunk-commands-appendcols/

View solution in original post

0 Karma

Oracle
Explorer

Try this search..

| makeresults
| eval id="1"
| eval batch="2013"
| appendcols [| makeresults | eval success=1
| eval failure=4
| eval message=Thisissample
| eval Status=if(success=1,"OK","NOK")]

It works for me..

Note: You can use either "appendcols, append, join" depending on the results you want to output.

https://splunkonbigdata.com/2018/09/05/usage-of-splunk-commands-appendcols/

0 Karma

Mike6960
Path Finder

Thanks, but I dont see how my searches are related to your example. Looks like a totally different search

0 Karma

solarboyz1
Builder
search.... |stats count values(Message.DocumentId) as "Doumentid" by cbatchid
append [
 search.... |   stats count(eval('message.information'="Sent to ESB")) as Sent,count(eval('message.information'!="Sent to ESB")) as NOTSENT by message.x-cak-messageid | eval Status=if(Sent=1,"OK","NOK")
]
0 Karma

Mike6960
Path Finder

Hmmm, I get no results found. So somewhere I am doing something wrong

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...