Hi,
I have a multiple search queries for which I have created separate panels in Dashboard, each showing the output as follows:
Query1:
parameter Value Comments
xyz 1223 abc
Query2:
parameter Value Comments
x1y1z1 23 a1b1c1
I want to see the output in one table(Panel) showing the result as follows:
parameter Value Comments xyz 1223 abc x1y1z1 23 a1b1c1
I have tried to merge all the queries and display the output. But I still prefer to run the independent queries, so as for simultaneously indexing.
Please Help...!!!
Since the column names are same in both the queries, you can simply use |append to concatenate the result of one query to another.
<Your query 1 which gives parameter, Value, Comments >
| append [ search <your query 2 which again gives paramter, Value, Comments>]
example
query 1: index=_internal | stats count by sourcetype
query 2: index=main | stats count by sourcetype
both gives sourcetype and count as column
index=_internal | stats count by sourcetype
| append [search index=main | stats count by sourcetype]
What about multisearch
? The searches are run separately, and you can easily table
the combined results.
| multisearch
[search index=a blah=bleh]
[search index=b blip=blop
| rename param AS Parameter
| rename val AS Value
| rename comment AS Comments]
| table Parameter Value Comments
Indentation only for readability.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch
/K
Getting error - Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)
You don't seem to need to do anything to the data once you have it together, right? So it should be pretty simple.
Lets say you have
If you do something like:
It will give you a full list of all the events that either match your first set OR match your second set.
Note that you'll have to surround your
Hope this helps
Hello,
You will not be able to do it that easily. So in the dashboard you need to have 2 panles in same row okay? First search will give you
parameter Value Comments
xyz 1223 abc
Second search you need to format and |rename parameter as "",Value as "", Comments as ""
And add it in the dashboard. Am not sure about the look and feel but this what can be done in your case as splunk doesn't have any option to remove the column header built-in
Yes you may want to play with using .css with sideviewutil's html module. The best bet would be a join statement rather than many other work arounds
Thanks linu,
Even I have tried the same, but even after keeping the headers blank, "up/down arrows" are still visible. Plus as the panels are different , there is much spacing between the panels.
Have updated the answer.
I want to run the queries independently, as running them on joining is taking much time.