Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to combine the result of 2 search queries?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ID_SplunkUser
Path Finder
08-28-2016
11:01 PM
Hi All,
I have a scenario to combine the search results from 2 queries. For Type= 101 I don't have fields "Amount" and "Currency", so I'm extracting them through Regex in separate query. I can't combine the regex with the main query due to data structure which I have. At the end I just want to display the Amount and Currency with all the fields.
1st query:
sourcetype=abc | table Currency, Amount, Address, Type
2nd Query:
sourcetype=abc | rex field=_raw max_match=0 "(:32B:(?<Curr>.{3})(?<Amnt>.[^\n]+))" |where Type=101|eval fields = mvzip(Curr,Amnt,"#") | mvexpand fields | rex field=fields "(?<Currency>\w+)#(?<Amount>\S+)"
Other than 101 Type all other messages are having Amount and Currency fields. I just want to combine both results.
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
08-28-2016
11:29 PM
please try -
sourcetype=abc | table Currency, Amount, Address, Type | append [ sourcetype=abc | rex field=_raw max_match=0 "(:32B:(?<Curr>.{3})(?<Amnt>.[^\n]+))" |where Type=101|eval fields = mvzip(Curr,Amnt,"#") | mvexpand fields | rex field=fields "(?<Currency>\w+)#(?<Amount>\S+)"]
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
08-29-2016
06:54 AM
Try this:
sourcetype=abc | rex field=_raw max_match=0 "(:32B:(?<Curr>.{3})(?<Amnt>.[^\n]+))" |where Type=101|eval fields = mvzip(Curr,Amnt,"#") | mvexpand fields | rex field=fields "(?<Currency>\w+)#(?<Amount>\S+)" | stats sum(Amount) As Amount BY Currency Address Type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vivek_manoj
Explorer
08-29-2016
06:45 AM
you can use appendcols command for combining two search query.
like
index="abc"| search user="hostee"| appendcols[index="xyz"|search host="apple"]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-29-2016
05:10 AM
I don't think you need a sub-search. Try this (assuming your regex is extracting values correctly).
sourcetype=abc | rex field=_raw max_match=0 "(:32B:(?<Curr>\w{3})(?<Amnt>[^\n]+))" | eval fields = mvzip(Curr, Amnt, "#") | mvexpand fields | rex field=fields "(?<Currency>\w+)#(?<Amount>\S+) | table Currency, Amount, Address, Type
OR
sourcetype=abc | rex field=_raw max_match=0 "(:32B:(?<Curr>\w{3})(?<Amnt>[^\n]+))" | eval fields = mvzip(Curr, Amnt, "#") | mvexpand fields | rex field=fields "(?<Currency>\w+)#(?<Amount>\S+) | stats count by Currency, Amount, Address, Type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
08-28-2016
11:29 PM
please try -
sourcetype=abc | table Currency, Amount, Address, Type | append [ sourcetype=abc | rex field=_raw max_match=0 "(:32B:(?<Curr>.{3})(?<Amnt>.[^\n]+))" |where Type=101|eval fields = mvzip(Curr,Amnt,"#") | mvexpand fields | rex field=fields "(?<Currency>\w+)#(?<Amount>\S+)"]
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ID_SplunkUser
Path Finder
08-30-2016
09:45 PM
Thanks for the reply.
Get Updates on the Splunk Community!
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
Data Management Digest – November 2025
Welcome to the inaugural edition of Data Management Digest!
As your trusted partner in data innovation, the ...
