Joining Tables

crmarley20 · ‎02-09-2022

Hello,

I need your help please, I have two tables resulting from two searches and I need to join these two tables to make a cumulative bar chart according to date.

My tables are

What I want to achieve is:

Datum	A1	A2	A3	A4	A5	A6
2022-02-08	5.7		3.7	1.9	4.56	90.3

BahadirS · ‎02-09-2022

Hello

You have two different formatted tables. You might want to transform the structure either on first search or second.

first_search
| join type=left Schicht_Datum [ second_search | untable Schicht_Datum segment mid_result ]
| xyseries Schicht_Datum segment mid_result

VatsalJagani · ‎02-09-2022

Something like this:

<first table's search> | chart sum(mid_result) over segment
| append [| search <second table's search>]
| stats sum(*) as * by Schiche_Datum
| rename Schiche_Datum as Datum

Kindly ignore typos and fix column names if I mis-typed it.

ITWhisperer · ‎02-09-2022

What are your two searches?

Joining Tables

chart

fields

join

lookup

stats

table

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation

Joining Tables

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.