Re: How to combine two queries into one?

dwibedi03 · ‎02-22-2021

I have two query that is exact same except the use of the lookup for each search. The one query includes data from a lookup and the other one excludes data from the same lookup. Is there a way I can combine two queries into one.

The first one is

index=abc dest="xyz.com" uri_path="access.html" http_method=POST NOT 
    [| inputlookup filter_ips 
    | fields src] | stats count by _time src

The second one is

index=abc dest="xyz.com" uri_path="access.html" http_method=POST 
    [| inputlookup filter_ips 
    | fields src] | stats count by _time src

The only difference is the Not in the first one. Can someone help me combine it? I tried using braces around the searches and combining it but didnt work.

Example

(index=abc dest="xyz.com" uri_path="access.html" http_method=POST NOT 
    [| inputlookup filter_ips 
    | fields src] | eval test= a1) OR (index=abc dest="xyz.com" uri_path="access.html" http_method=POST 
    [| inputlookup filter_ips 
    | fields src] | eval test=a2) | stats count by _time src test

But it gives error as eval expression malfunction.

tscroggins · ‎02-22-2021

The union of the two searches is simply the base search:

index=abc dest="xyz.com" uri_path="access.html" http_method=POST | stats count by _time src

to4kawa · ‎02-22-2021

If you combine them, you won't get any results.

How to combine two queries into one?

eval

fields

stats

subsearch

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Join the Conversation