Merge two search results and add difference

malekseev · ‎06-22-2018

I have result of one search1 stored in csv by outpootlookup.
I use this lookup for the search2 as a criteria, e.g. what I need to find in search2.
My search

index="index1" source="source1" 
| lookup t.csv A OUTPUT A 
| stats count by A 
| rename A as A4, count as C4 
| table A4,C4
| sort A4
| appendcols 
    [| inputlookup t.csv 
    | table A,C
    | sort A]

And the result looks like this:

Columns A,C - columns from criteria
Columns A4,C4 - columns from search

In the end I want to get table with columns:
A, C4

It means that in table colunms with names(column A) and count(column C4). But there is one condition: if one of A haven't been found in search, then use 0 as count for this line (I marked this cell by yellow color)

P.S. I've tried to do this by join but I always get result without cell bla3

vidhyaArumalla · ‎06-22-2018

Please try the below solution.

| inputlookup t.csv 
| table A,C 
| join A type=left 
    [ index="index1" source="source1" 
    | lookup t.csv A OUTPUT A "]
    | stats count(index) as C4 by A
    | sort A

Merge two search results and add difference

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Merge two search results and add difference

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine