Is it possible to overlap 2 search results and com...

ben_leung · ‎07-21-2015

index=main "string" | timechart count by field_1
index=main sourcetype=certain_logs action=certain_action | timechart count by field_2

The only common field each query has is _time. Is is possible to run a query that will overlap the results together?

bmacias84 · ‎07-21-2015

It sounds like you want appendcol or append command.

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Appendcols

MuS · ‎07-21-2015

Hi ben_leung,

maybe this can help, since you're only counting the events from two different searches try to create an eventtype http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Defineeventtypes for each search and tag them for example:

index=main "string" field1 will be eventtype one with tag=one
index=main sourcetype=certain_logs action=certain_action field2 will be eventtype two with tag=two

Once created, run a search like this:

tag=one OR tag=two | timechart count by tag

Hope this helps ...

cheers, MuS

somesoni2 · ‎07-21-2015

Try something like this

index=main "string" OR (sourcetype=certain_logs action=certain_action) | eval commonfield=if(action=certain_action,field_2,field_1) | timechart count by commonfield

Is it possible to overlap 2 search results and combine them without common fields?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!