Re: How to combine two queries into one?

dwibedi03 · ‎02-22-2021

I have two query that is exact same except the use of the lookup for each search. The one query includes data from a lookup and the other one excludes data from the same lookup. Is there a way I can combine two queries into one.

The first one is

index=abc dest="xyz.com" uri_path="access.html" http_method=POST NOT 
    [| inputlookup filter_ips 
    | fields src] | stats count by _time src

The second one is

index=abc dest="xyz.com" uri_path="access.html" http_method=POST 
    [| inputlookup filter_ips 
    | fields src] | stats count by _time src

The only difference is the Not in the first one. Can someone help me combine it? I tried using braces around the searches and combining it but didnt work.

Example

(index=abc dest="xyz.com" uri_path="access.html" http_method=POST NOT 
    [| inputlookup filter_ips 
    | fields src] | eval test= a1) OR (index=abc dest="xyz.com" uri_path="access.html" http_method=POST 
    [| inputlookup filter_ips 
    | fields src] | eval test=a2) | stats count by _time src test

But it gives error as eval expression malfunction.

tscroggins · ‎02-22-2021

The union of the two searches is simply the base search:

index=abc dest="xyz.com" uri_path="access.html" http_method=POST | stats count by _time src

to4kawa · ‎02-22-2021

If you combine them, you won't get any results.

How to combine two queries into one?

eval

fields

stats

subsearch

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!