Splunk Search

Is it possible to overlap 2 search results and combine them without common fields?

ben_leung
Builder

index=main "string" | timechart count by field_1
index=main sourcetype=certain_logs action=certain_action | timechart count by field_2

The only common field each query has is _time. Is is possible to run a query that will overlap the results together?

0 Karma

bmacias84
Champion

It sounds like you want appendcol or append command.

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Appendcols

0 Karma

MuS
Legend

Hi ben_leung,

maybe this can help, since you're only counting the events from two different searches try to create an eventtype http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Defineeventtypes for each search and tag them for example:

  • index=main "string" field1 will be eventtype one with tag=one
  • index=main sourcetype=certain_logs action=certain_action field2 will be eventtype two with tag=two

Once created, run a search like this:

tag=one OR tag=two | timechart count by tag

Hope this helps ...

cheers, MuS

somesoni2
Revered Legend

Try something like this

index=main "string" OR (sourcetype=certain_logs action=certain_action) | eval commonfield=if(action=certain_action,field_2,field_1) | timechart count by commonfield
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...