Re: How to combine two queries into one?

dwibedi03 · ‎02-22-2021

I have two query that is exact same except the use of the lookup for each search. The one query includes data from a lookup and the other one excludes data from the same lookup. Is there a way I can combine two queries into one.

The first one is

index=abc dest="xyz.com" uri_path="access.html" http_method=POST NOT 
    [| inputlookup filter_ips 
    | fields src] | stats count by _time src

The second one is

index=abc dest="xyz.com" uri_path="access.html" http_method=POST 
    [| inputlookup filter_ips 
    | fields src] | stats count by _time src

The only difference is the Not in the first one. Can someone help me combine it? I tried using braces around the searches and combining it but didnt work.

Example

(index=abc dest="xyz.com" uri_path="access.html" http_method=POST NOT 
    [| inputlookup filter_ips 
    | fields src] | eval test= a1) OR (index=abc dest="xyz.com" uri_path="access.html" http_method=POST 
    [| inputlookup filter_ips 
    | fields src] | eval test=a2) | stats count by _time src test

But it gives error as eval expression malfunction.

tscroggins · ‎02-22-2021

The union of the two searches is simply the base search:

index=abc dest="xyz.com" uri_path="access.html" http_method=POST | stats count by _time src

to4kawa · ‎02-22-2021

If you combine them, you won't get any results.

How to combine two queries into one?

eval

fields

stats

subsearch

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!