Is it possible to overlap 2 search results and com...

ben_leung · ‎07-21-2015

index=main "string" | timechart count by field_1
index=main sourcetype=certain_logs action=certain_action | timechart count by field_2

The only common field each query has is _time. Is is possible to run a query that will overlap the results together?

bmacias84 · ‎07-21-2015

It sounds like you want appendcol or append command.

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Appendcols

MuS · ‎07-21-2015

Hi ben_leung,

maybe this can help, since you're only counting the events from two different searches try to create an eventtype http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Defineeventtypes for each search and tag them for example:

index=main "string" field1 will be eventtype one with tag=one
index=main sourcetype=certain_logs action=certain_action field2 will be eventtype two with tag=two

Once created, run a search like this:

tag=one OR tag=two | timechart count by tag

Hope this helps ...

cheers, MuS

somesoni2 · ‎07-21-2015

Try something like this

index=main "string" OR (sourcetype=certain_logs action=certain_action) | eval commonfield=if(action=certain_action,field_2,field_1) | timechart count by commonfield

Is it possible to overlap 2 search results and combine them without common fields?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?