Splunk Search
Highlighted

How to merge multiple searches and combine the result in a tabular format

Explorer

Hi All,

I have the below independent search queries giving the count.

ns=app1 Service='trigger1' id=100 | Search Response | stats counts as "Success Count"
ns=app1 Service='trigger2' id=100 OR 110 | Search Response | stats counts as "Success Count1"

I want to put a table with two columns as:
Success Count Success Count1
XXXXXX YYYYYY

Thank you!

0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

SplunkTrust
SplunkTrust

Is "Search Response" the same in both queries?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

Explorer

ns=app1 Service='trigger1' id=100 ActNo='101' | Search Response | stats counts as "Success Count"
Returns the count of events with ActNo='101' only and Response indicate and a success response.

ns=app1 Service='trigger1' id=100 OR 110 ActNo!='100' | Search Response | stats counts as "Success Count1"
Returns the count of events with ActNo!='100' which means it can be many and Response indicate and a success response.

I want to put a table with two columns as:
Success Count Success Count1
XXXXXX YYYYYY

0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

SplunkTrust
SplunkTrust

Give this a try

ns=app1 (Service='trigger1' id=100) OR (Service='trigger2' id=100 OR id=110)
| chart count over ns by Service
| table trigger1 trigger2 | rename trigger1 as "Success Count" trigger2 as "Success Count1"

Updated per last comment
If your field values for Service and ActNo doesn't contains single quotes

ns=app1 Service='trigger1' id=100 ActNo=* Response
| eval count1=if(AccNo="101",1,0)
| eval count2=if(count1=1,0,1)
| stats sum(count1) as "Success Count" sum(count2) as "Success Count1"

If they do contain single quotes

ns=app1 Service='trigger1' id=100 ActNo=* Response
| eval count1=if(AccNo="'101'",1,0)
| eval count2=if(count1=1,0,1)
| stats sum(count1) as "Success Count" sum(count2) as "Success Count1"

View solution in original post

0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

Explorer

Thanks for the response.

There is a slight change in the above input data as it was missed from my side.

ns=app1 Service='trigger1' id=100 ActNo='101' | Search Response | stats counts as "Success Count"
ns=app1 Service='trigger1' id=100 OR 110 ActNo!='100' | Search Response | stats counts as "Success Count1"

I want to put a table with two columns as:
Success Count Success Count1
XXXXXX YYYYYY

Thank You.

0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

SplunkTrust
SplunkTrust

In 2nd search, is it id=100 OR 110 OR id=100 OR id=110? Both are different as in first one it searches for field id=100 and 110 number in raw data.

0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

Super Champion

also in the second search, is it Service='trigger2', as you had mentioned in the original post?

0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

Explorer

Data is as below:

ns=app1 Service='trigger1' id=100 ActNo='101' | Search Response | stats counts as "Success Count"
ns=app1 Service='trigger1' id=100 ActNo!='100' | Search Response | stats counts as "Success Count1"

I want to put a table with two columns as:
Success Count Success Count1
XXXXXX YYYYYY

Service='trigger1' only. ActNo can have range of values in second case.

0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

SplunkTrust
SplunkTrust

Try update answer.

0 Karma
Highlighted

Re: How to merge multiple searches and combine the result in a tabular format

Explorer

Thanks, it worked.

Now I have a failed response which has event like

ns=app1 [ErrorResponse] Service='trigger1' id=100.

How can I add it to the above Search in order to get Failed Counts.

Thank You!

0 Karma