Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine 2 searches with same value and field name.

Allene139
Explorer
‎04-11-2022 10:32 AM

I have 2 searches and I want to link 2 together in one table.

The first search:

 

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone.

 

This displays the following as expected, but the phone field is blank:

_timeNamecaseNumberUIDphone
11APR2022John Smith1234567799111222333444555666777 

 

The second search with the UID yields the phone number but nothing else:

 

index=very_big_index 111222333444555666777
| stats values(phone) as phone

 

results:

phone
123-555-1234

 

How can I efficiently link these 2 searches together using the common field name/value of UID/111222333444555666777

Labels (3)
Labels
0 Karma
Reply

Stefanie
Builder
‎04-12-2022 06:32 AM

In your first search, 

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone

 

Is phone blank because the value should be "phone_number"?

 

Does this search not return your results? 

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone_number

 

 

0 Karma
Reply

Allene139
Explorer
‎04-12-2022 06:40 AM

Apologies for the confusion. The name of the field is "phone." But I used "phone_number" when I was sanitizing the data for this post. I fixed the post. Thank you

0 Karma
Reply

Allene139
Explorer
‎04-12-2022 06:05 AM

That didn't work. The phone number field is blank. But thank you.

0 Karma
Reply

blbr123
Path Finder
‎04-11-2022 10:40 AM

index=very_big_index caseNumber=1234567799 111222333444555666777 | stats values(phone_number) as phone by _time Name caseNumber UID

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...