Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Join two queries

tahasefiani
Explorer
‎03-03-2020 06:42 AM

Hello,

i Have this query that i want to improve

| loadjob savedsearch="myquery"
| where (strftime(_time, "%Y-%m-%d") = "2020-02-27")
|  stats dc(eval(if(STEP="Sent",ID_MESSAGE,NULL))) AS sent,
    dc(eval(if(STEP="RME",ID_MESSAGE,NULL))) AS RME by ID_MESSAGE 
| join type=left ID_MESSAGE [| loadjob savedsearch="myquery" 
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-27") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") 
|stats dc(eval(if(STEP="Click",ID_MESSAGE,NULL))) AS click by ID_MESSAGE]
|where sent>0
|stats sum(sent) AS sent,sum(RME) AS RME,sum(click) AS click

This is the result that i have today

alt text

And this is the result that i want to have

alt text

knowing that RME and click are calculated on the ID_MESSAGE sent

Preview file
2 KB
Preview file
8 KB
0 Karma
Reply

tahasefiani
Explorer
‎03-05-2020 01:33 AM

@to4kawa It's not really what i want to do.
There is an explication of what i have today as result and what i want to do

alt text

@manjunathmeti

Preview file
24 KB
0 Karma
Reply

tahasefiani
Explorer
‎03-04-2020 05:48 AM

@to4kawa I added a timechart and sum, this is what i have as result

alt text

For sent and RME ,i want only ther distinct count of ID_MESSAGE of the 27.
But for click I want distinct count of the ID_MESSAGE(that we have counted on sent) from 27 to 03/03.
The rest is like a countdown of sent

Preview file
18 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎03-04-2020 02:08 PM

I see, the answers is updated.

0 Karma
Reply

to4kawa
Ultra Champion
‎03-03-2020 12:06 PM

UPDATE2:

| loadjob savedsearch="myquery" 
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-27") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") 
| bin span=1d _time
| stats dc(eval(STEP="Sent" AND strftime(_time,"%F")="2020-02-27")) AS sent
, dc(eval(STEP="RME" AND strftime(_time,"%F")="2020-02-27")) AS RME
, dc(eval(STEP="Click")) AS click by _time ID_MESSAGE 
| search ID_MESSAGE="ABC" OR ID_MESSAGE="XYZ"
| fields - ID_MESSAGE
| stats sum(*) as * by _time
| eval The_rest=sent + RME - click
| streamstats sum(The_rest) as "The rest"
| table _time  sent RME click "The rest"

I'm not sure the logs and recently query still
now.

0 Karma
Reply

manjunathmeti
Champion
‎03-03-2020 07:49 AM

Hi @tahasefiani,
Try this.

| loadjob savedsearch="myquery" 
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-27") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") 
| stats dc(eval(if(STEP="Click",ID_MESSAGE,NULL))) AS click by ID_MESSAGE 
| timechart span=1d sum(click) AS click 
| eval sent= 
    [| loadjob savedsearch="myquery" 
    | where (strftime(_time, "%Y-%m-%d") = "2020-02-27") 
    | stats dc(eval(if(STEP="Sent",ID_MESSAGE,NULL))) AS sent by ID_MESSAGE 
    | stats sum(sent) AS sent 
    | return $sent] 
| eval RME= 
    [| loadjob savedsearch="myquery" 
    | where (strftime(_time, "%Y-%m-%d") = "2020-02-27") 
    | stats dc(eval(if(STEP="RME",ID_MESSAGE,NULL))) AS RME by ID_MESSAGE 
    | stats sum(RME) AS RME 
    | return $RME] 
| eval the_rest=sent-(RME+click)
0 Karma
Reply

tahasefiani
Explorer
‎03-04-2020 12:29 AM

Thanks @manjunathmeti
But there is a problem in your query! The result which I want on "click" and "RME", it's always on ID_MESSAGE recover in "sent" of 27/02/2020. And besides that is why I had used the join in my query.

Example: Admitting that we have "XYZ" and "WVT" as ID_MESSAGE on "sent"
The search in "click" and "RME" must be on "XYZ", "WVT"

0 Karma
Reply

manjunathmeti
Champion
‎03-04-2020 12:57 AM

try this:

| loadjob savedsearch="myquery" 
| where (strftime(_time, "%Y-%m-%d") >= "2020-02-27") AND (strftime(_time, "%Y-%m-%d") <= "2020-03-03") 
| stats dc(eval(if(STEP="Click",ID_MESSAGE,NULL))) AS click by ID_MESSAGE 
| timechart span=1d sum(click) AS click by ID_MESSAGE
| join type=left ID_MESSAGE 
     [| loadjob savedsearch="myquery" 
     | where (strftime(_time, "%Y-%m-%d") = "2020-02-27") 
     | stats dc(eval(if(STEP="Sent",ID_MESSAGE,NULL))) AS sent, dc(eval(if(STEP="RME",ID_MESSAGE,NULL))) AS RME by ID_MESSAGE 
     | stats sum(sent) AS sent, sum(RME) AS RME by ID_MESSAGE]
| eval the_rest=sent-(RME+click)
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...