Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to merge two different queries with the same columns together?

shayhibah
Path Finder
‎12-05-2019 02:48 AM

Hi,

I have different queries:

Query 1:
|inputlookup myLokkup | eval count=0 | table myField, count
For Example:
myField count
A 0
B 0
C 0

Query 2:
sourcetype="my_log" | stats count by myField
For Example:
myField count
A 4
C 2

How can I combine these 2 queries to return the following:
myField count
A 4
B 0
C 2

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 02:55 AM

@shayhibah

Can you please try this?

sourcetype="my_log" 
| stats count by myField
| append [ |inputlookup myLokkup | eval count=0 | table myField, count ] 
| stats sum(count) as count by myField

Thanks

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 02:55 AM

@shayhibah

Can you please try this?

sourcetype="my_log" 
| stats count by myField
| append [ |inputlookup myLokkup | eval count=0 | table myField, count ] 
| stats sum(count) as count by myField

Thanks

0 Karma
Reply
Solved! Jump to solution

shayhibah
Path Finder
‎12-05-2019 03:43 AM

hi @kamlesh_vaghela

The output is incorrect:

A0
A 4
B 0
C0
C 2

It didn't remove fields that exist in both searches

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 03:53 AM

@shayhibah

I think it should work. Can you please confirm that count doesn't have any extra hidden character.

Please check below sample search with same logic.

| makeresults | eval myField="A,C",myField=split(myField,","),count=20 | mvexpand myField | table myField count | append [| makeresults | eval myField="A,B,C",myField=split(myField,","),count=0 | mvexpand myField | table myField count] | stats sum(count) as count by myField

Is it possible to share your search with sample values?

0 Karma
Reply
Solved! Jump to solution

shayhibah
Path Finder
‎12-05-2019 04:01 AM

@kamlesh_vaghela
Sure,

This is my query:

sourcetype="my_log" | stats count by my_field
| append [|inputlookup my_lookup | rename field AS my_field | eval count=0 | table my_field, count]
| stats sum(count) as count by my_field

For some reason your query above works fine but mine does not.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 04:05 AM

@shayhibah

I think your lookup field has extra spaces.
Try this.

sourcetype="my_log" | stats count by my_field
 | append [|inputlookup my_lookup | rename field AS my_field | eval count=0 | eval myField=trim(myField) | table my_field, count]
 | stats sum(count) as count by my_field
0 Karma
Reply
Solved! Jump to solution

shayhibah
Path Finder
‎12-05-2019 04:04 AM

I know what the problem is - typo 😕
But your response was correct - thank you

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 04:06 AM

ooh Great.

Happy Splunking

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...