Join same index twice for search1 and search2 into...

jw44250 · ‎01-18-2017

I have one index that search for an error and the same index search for exeception

now i have error result and exception result... i want append into table format..

aaraneta_splunk · ‎01-18-2017

@jw44250 - To add to richgalloway's comment, the more information and context you can provide to the Answers community, the better chances you have of another user providing a working solution to your question. It would be helpful if you provided your current search so that experts in the community have a starting point in order help you out.

DalJeanis · ‎01-18-2017

This example assumes that you will have certain fields that naturally exist in both searches (server, _time) certain fields that each search will fill in (ProblemType, ProblemCode, ProblemMessage) and other fields that will be different for the two searches (SomeErrorStuff, SomeExceptionStuff).

[error search goes here] 
| fields server _time ErrorCode ErrorMessage SomeErrorStuff  
| eval ProblemType="Error" 
| eval ProblemCode=ErrorCode  
| eval ProblemMessage=ErrorMessage 
| append 
   [
   [exception search goes here] 
   | fields server _time ExceptionCode ExceptionMessage SomeExceptionStuff 
   | eval ProblemType="Exception" 
   | eval ProblemCode=ExceptionCode  
   | eval ProblemMessage=ExceptionMessage  
   ]
| table server _time ProblemType ProblemCode ProblemMessage SomeErrorStuff SomeExceptionStuff

SomeErrorStuff and SomeExceptionStuff will be NULL in records that are not relevant to them.

richgalloway · ‎01-18-2017

What are your current searches?

---
If this reply helps you, Karma would be appreciated.

Join same index twice for search1 and search2 into a single table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms