Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to merge two Splunk queries ?

nilbak88
Explorer
‎04-15-2022 05:29 AM

Hi All,

I need help with  Splunk Query for below scenario:

Query 1:
index =abc | table src, dest_name, severity, action

If it finds dest_name for any high and critical severity, it will look for computerdnsname in index xyz and there if it matches, it will display the result

Query 2:

index=xyz 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-15-2022 08:40 AM

Hi @nilbak88,

as @richgalloway said it's difficoult to help you with these few informations, so anyway I try to suppose your need:

Query 1:
(index =abc (severity=high OR severity=critical)) OR index=xyz 
| eval dest_name=coalesce(dest_name,computerdnsname)
| stats values(src) AS src values(severity) AS severity values(action) AS action dc(index) AS dc_index BY dest_name
| where dc_index=2
| table dest_name src severity action

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-15-2022 08:40 AM

Hi @nilbak88,

as @richgalloway said it's difficoult to help you with these few informations, so anyway I try to suppose your need:

Query 1:
(index =abc (severity=high OR severity=critical)) OR index=xyz 
| eval dest_name=coalesce(dest_name,computerdnsname)
| stats values(src) AS src values(severity) AS severity values(action) AS action dc(index) AS dc_index BY dest_name
| where dc_index=2
| table dest_name src severity action

Ciao.

Giuseppe

Reply
Solved! Jump to solution

nilbak88
Explorer
‎04-21-2022 05:05 AM

thanks @gcusello . 
That's what i was looking for.
However, i will get back to you on this again if needed more help

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-21-2022 05:04 AM

Hi @nilbak88,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-15-2022 06:21 AM

How to merge the queries depends on what results you want displayed.  Please tell us more about that.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...