Solved: Join two queries with different fields

JandrevdM · ‎08-26-2024

Hi All,

I have two queries which searches for users that use an app. The apps are not in the same fields which was why I had to split the queries. But now I want to join the queries to get the results

Query 1
index=db_it_network sourcetype=pan* url_domain="www.perplexity.ai"
| table user, url_domain, date_month
| stats count by user url_domain date_month
| chart count by url_domain date_month
| sort url_domain 0

Query 2
index=db_it_network sourcetype=pan* app=claude-base OR app=google-gemini* OR app=openai* OR app=bing-ai-base
| table user, app, date_month
| stats count by user app date_month
| chart count by app date_month
| sort app 0

results example that I want

App	August	July
claude-base	123	120
google-gemini	124	42
openai	153	123
bing-ai-base	212	232
www.perplexity.com	14	12

ITWhisperer · ‎08-26-2024

Try this

index=db_it_network sourcetype=pan* url_domain="www.perplexity.ai"
OR app=claude-base OR app=google-gemini* OR app=openai* OR app=bing-ai-base
| eval app=if(url_domain="www.perplexity.ai", url_domain, app)
| table user, app, date_month
| stats count by user app date_month 
| chart count by app date_month 
| sort app 0

View solution in original post

ITWhisperer · ‎08-26-2024

Try this

index=db_it_network sourcetype=pan* url_domain="www.perplexity.ai"
OR app=claude-base OR app=google-gemini* OR app=openai* OR app=bing-ai-base
| eval app=if(url_domain="www.perplexity.ai", url_domain, app)
| table user, app, date_month
| stats count by user app date_month 
| chart count by app date_month 
| sort app 0

Join two queries with different fields

fields

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout