Splunk Search

How to join two searches for stats command

prakashbhanu407
New Member

I have 2 queries and need to show the result of both in one table

index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)
Daily Query Output

index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)

both the above queries work individually but when joined as below

index=someindex queryType="ts" filename=RECON status=1| dedup filename |rename filename as Weekly| join queryType [search index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily ]| stats count(Daily),count(Weekly)

gives incorrect output

Joined query output

0 Karma
1 Solution

fdi01
Motivator

try like

index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)|appendcols  [search index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)]

View solution in original post

fdi01
Motivator

try like

index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)|appendcols  [search index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)]

seeyonraj
Engager

Perfect!

0 Karma

prakashbhanu407
New Member

I was trying Joining the 2 searches but "appendcols" worked like a charm...thanks.

0 Karma

sk314
Builder

I am not sure why you are deduping. Assuming that's what you want...try this:

index=someindex queryType="ts" filename=RECON OR filename=PNASC.HRBDT status=1| dedup filename | stats count by  filename
0 Karma

prakashbhanu407
New Member

The files have date timestamp extension and I need to show them bundled by the types...hence this will not work.

0 Karma
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...