Solved: How to marge two in depended query result dependin...

snehalk · ‎12-30-2016

Hello All,

I have the requirement where i need to marge two search query values depending on parameter.

Example:

Result of Query  1: 
ID  Email   Status
 1  xyz@abc        Pass

 2  dd@fd         Fail

Result Query 2 
 ID      Email            Status
1       xyz@abc      Fail

 2  dd@fd         Fail

What i want as final result

Final Query [ query 1 + query 2 ]
     ID      Email            Status
    1       xyz@abc      Fail

     2  dd@fd         Fail

Because the Id with 1 and email id with xyz@abc failed in second result .

I have used append and appendcols but its not working,.

So can any one help me on this?

Thanks!!

snehalk · ‎01-02-2017

Hi All,

I got the answer for this problem. the query is as follow.

search query 1 | stats count by  ID,Email,Status1 | appendcols [search query 2 | stats count by  ID,Email,Status2 ] | eval finalstatus=if ( Status1= Pass AND Status2= Pass, "Pass", Fail) | stats count by finalstatus

View solution in original post

snehalk · ‎01-02-2017

Hi All,

I got the answer for this problem. the query is as follow.

search query 1 | stats count by  ID,Email,Status1 | appendcols [search query 2 | stats count by  ID,Email,Status2 ] | eval finalstatus=if ( Status1= Pass AND Status2= Pass, "Pass", Fail) | stats count by finalstatus

How to marge two in depended query result depending on parameter

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?