Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to add two different chart queries and get the results in single table

rkishoreqa
Communicator
‎09-08-2020 11:54 AM

I have two queries like as below : 

> index="int_audit_dev" | chart count(ApplicationName) over ApplicationName by Status

> index="int_audit_dev" | chart count(event.ApplicationName) over event.ApplicationName by event.Status

Individually these two queries are fine and able to get the data in tabular format. But I want the data as a sum of values in tabular format.

Any suggestions?

Labels (1)
Labels
0 Karma
Reply

rkishoreqa
Communicator
‎09-09-2020 10:11 AM

I want to add the results of below two queries

> index="int_audit_dev" | chart count(ApplicationName) over ApplicationName by Status |addtotals
> index="int_audit_dev" | chart count(event.ApplicationName) over event.ApplicationName by event.Status |addtotals

0 Karma
Reply

to4kawa
Ultra Champion
‎09-08-2020 01:20 PM

index="int_audit_dev" |eval status=coalesce(Status,event.Status), applicationName=coalesce(ApplicationName,event.ApplicationName)| chart count(applicationName) over applicationName by status

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 12:49 PM

Can you provide an example of what you currently have and what you would like

0 Karma
Reply

rkishoreqa
Communicator
‎09-09-2020 10:38 AM

I want to add the results of below two queries

index="int_audit_dev" | chart count(ApplicationName) over ApplicationName by Status |addtotals index="int_audit_dev" | chart count(event.ApplicationName) over event.ApplicationName by event.Status |addtotals

0 Karma
Reply

rkishoreqa
Communicator
‎09-09-2020 11:30 AM

Example :
query 1 : index="int_audit_dev" | chart count(ApplicationName) over ApplicationName by Status |addtotals 
for the above query, I am getting as below
a    5
b    8

query 2 : index="int_audit_dev" | chart count(event.ApplicationName) over event.ApplicationName by event.Status |addtotals
for this query, the results will be like
a    3
b    6

Now I need a single query to add above both values and display in Dashboard like below (adding above both table data):
a      8
b    14

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...