Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to overlap 2 search results and combine them without common fields?

ben_leung
Builder
‎07-21-2015 01:42 PM

index=main "string" | timechart count by field_1
index=main sourcetype=certain_logs action=certain_action | timechart count by field_2

The only common field each query has is _time. Is is possible to run a query that will overlap the results together?

0 Karma
Reply

bmacias84
Champion
‎07-21-2015 01:55 PM

It sounds like you want appendcol or append command.

http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/Appendcols

0 Karma
Reply

MuS
Legend
‎07-21-2015 01:55 PM

Hi ben_leung,

maybe this can help, since you're only counting the events from two different searches try to create an eventtype http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Defineeventtypes for each search and tag them for example:

  • index=main "string" field1 will be eventtype one with tag=one
  • index=main sourcetype=certain_logs action=certain_action field2 will be eventtype two with tag=two

Once created, run a search like this:

tag=one OR tag=two | timechart count by tag

Hope this helps ...

cheers, MuS

Reply

somesoni2
Revered Legend
‎07-21-2015 01:50 PM

Try something like this

index=main "string" OR (sourcetype=certain_logs action=certain_action) | eval commonfield=if(action=certain_action,field_2,field_1) | timechart count by commonfield
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...