Splunk Search

Joining Tables

crmarley20
Explorer

Hello, 

I need your help please, I have two tables resulting from two searches and I need to join these two tables to make a cumulative bar chart according to date.

My tables are 

crmarley20_0-1644425055153.png

crmarley20_1-1644425077542.png

What I want to achieve is:

DatumA1A2A3A4A5A6
2022-02-085.7 3.71.94.5690.3

 

 

 

Labels (7)
0 Karma

BahadirS
Path Finder

Hello

You have two different formatted tables. You might want to transform the structure either on first search or second. 

 

first_search
| join type=left Schicht_Datum [ second_search | untable Schicht_Datum segment mid_result ]
| xyseries Schicht_Datum segment mid_result

 

 

0 Karma

VatsalJagani
Super Champion

Something like this:

<first table's search> | chart sum(mid_result) over segment
| append [| search <second table's search>]
| stats sum(*) as * by Schiche_Datum
| rename Schiche_Datum as Datum

Kindly ignore typos and fix column names if I mis-typed it.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What are your two searches?

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...