Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine 2 searches with same value and field name.

Allene139
Explorer
‎04-11-2022 10:32 AM

I have 2 searches and I want to link 2 together in one table.

The first search:

 

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone.

 

This displays the following as expected, but the phone field is blank:

_timeNamecaseNumberUIDphone
11APR2022John Smith1234567799111222333444555666777 

 

The second search with the UID yields the phone number but nothing else:

 

index=very_big_index 111222333444555666777
| stats values(phone) as phone

 

results:

phone
123-555-1234

 

How can I efficiently link these 2 searches together using the common field name/value of UID/111222333444555666777

Labels (3)
Labels
0 Karma
Reply

Stefanie
Builder
‎04-12-2022 06:32 AM

In your first search, 

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone

 

Is phone blank because the value should be "phone_number"?

 

Does this search not return your results? 

index=very_big_index caseNumber=1234567799

| table _time Name caseNumber UID phone_number

 

 

0 Karma
Reply

Allene139
Explorer
‎04-12-2022 06:40 AM

Apologies for the confusion. The name of the field is "phone." But I used "phone_number" when I was sanitizing the data for this post. I fixed the post. Thank you

0 Karma
Reply

Allene139
Explorer
‎04-12-2022 06:05 AM

That didn't work. The phone number field is blank. But thank you.

0 Karma
Reply

blbr123
Path Finder
‎04-11-2022 10:40 AM

index=very_big_index caseNumber=1234567799 111222333444555666777 | stats values(phone_number) as phone by _time Name caseNumber UID

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...