Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine 2 stats count O/P to be displayed in one for use in Overlay Chart

promukh
Path Finder
‎02-28-2020 06:04 PM

search query 1 | stats count by source1.field1 | where blah ==blah | rename field1 as "Y-098"

Y-098 || Count
1.Instagram -- 56
2.twitter -- 78

search query 2 | stats count by source2.field2 | where blah ==blah | rename field2 as "Vr-234"

Vr-234 || Count
1.Instagram_active_user -- 34
2.twitter_active_user --21

How can i combine the above 2 searches to be displayed under one output as shown below to be used in Overlay Chart , also is there any way to rename the "Count" Field

Field-Name-1 | Count | Field-Name-2 | Count
Instagram | 56 | Instagram_active_user | 34
twitter | 78 | twitter_active_user | 21

0 Karma
Reply

woodcock
Esteemed Legend
‎02-29-2020 03:02 PM

Like this:

(search query 1) OR (search query 2)
| eval joiner=coalesce(source1.field1, source2.field2)
| stats count BY joiner
| eval {joiner} = count
| table joiner count *_active_user
| eventstats first(*_active_user) AS *_active_user
| foreach *_active_user [ eval active_user_count = if(joiner=="<<MATCHSTR>>", '<<FIELD>>', active_user_count) | fields - <<FIELD>> ]
| where isnotnull(active_user_count)
Reply

sumanssah
Communicator
‎02-29-2020 08:22 AM

Please try this

search query 1 | stats count by source1.field1 | where blah ==blah | rename field1 as "Y-098" 

| join 
    [| search query 2 | stats count by source2.field2 | where blah ==blah | rename field2 as "Vr-234" ]
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...