Solved: How to marge two in depended query result dependin...

snehalk · ‎12-30-2016

Hello All,

I have the requirement where i need to marge two search query values depending on parameter.

Example:

Result of Query  1: 
ID  Email   Status
 1  xyz@abc        Pass

 2  dd@fd         Fail

Result Query 2 
 ID      Email            Status
1       xyz@abc      Fail

 2  dd@fd         Fail

What i want as final result

Final Query [ query 1 + query 2 ]
     ID      Email            Status
    1       xyz@abc      Fail

     2  dd@fd         Fail

Because the Id with 1 and email id with xyz@abc failed in second result .

I have used append and appendcols but its not working,.

So can any one help me on this?

Thanks!!

snehalk · ‎01-02-2017

Hi All,

I got the answer for this problem. the query is as follow.

search query 1 | stats count by  ID,Email,Status1 | appendcols [search query 2 | stats count by  ID,Email,Status2 ] | eval finalstatus=if ( Status1= Pass AND Status2= Pass, "Pass", Fail) | stats count by finalstatus

View solution in original post

snehalk · ‎01-02-2017

Hi All,

I got the answer for this problem. the query is as follow.

search query 1 | stats count by  ID,Email,Status1 | appendcols [search query 2 | stats count by  ID,Email,Status2 ] | eval finalstatus=if ( Status1= Pass AND Status2= Pass, "Pass", Fail) | stats count by finalstatus

How to marge two in depended query result depending on parameter

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform