I want to combine two search results, whereby I'm only interested in the last x/y events from each subquery. Something like this:
| multisearch
[search index="sli-index"
| eval testtype="endp-health"
| head 3]
[search index="sli-index"
| eval testtype="enp-system"
| head 6]
This leads to following error: ...Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command)....
Any idea how this can be achieved?
I tried with append:
index="sli-index"
| eval testtype="endp-health"
| head 1
| append
[search index="sli-index"
| eval testtype="enp-system"
| head 1]
But for some reasons I get two events where testtype=="endp-system".
Expected: I get two events: testtype="endp-health" and the other with testtype="endp-system"
Strange. Works for me.
Hi,
after putting the result in a table, the result is OK 🙂
For completeness, this now shows correct results:
index="sli-index"
| eval testtype="endp-health"
| head 3
| append
[search index="sli-index"
| eval testtype="enp-system"
| head 6]
| table _time, testtype
Many Thanks, you saved my day.
Cheers, Martin
Now that's interesting because all comands are streaming. Maybe Splunk tried to optimize the search and came up with some non-streaming equivalent and shot itself in the foot. Anyway. If your subsearches are small and quick you can use append.
I tried with append:
index="sli-index"
| eval testtype="endp-health"
| head 1
| append
[search index="sli-index"
| eval testtype="enp-system"
| head 1]
But for some reasons I get two events where testtype=="endp-system".
Expected: I get two events: testtype="endp-health" and the other with testtype="endp-system"