Splunk Search

Show result of multiple queries as rows of single Table (one query=one row)

Hi,
I have a multiple search queries for which I have created separate panels in Dashboard, each showing the output as follows:

Query1:

parameter   Value   Comments
  xyz        1223     abc

Query2:

 parameter  Value   Comments
  x1y1z1      23      a1b1c1

I want to see the output in one table(Panel) showing the result as follows:

parameter     Value      Comments
  xyz         1223         abc
  x1y1z1       23        a1b1c1

I have tried to merge all the queries and display the output. But I still prefer to run the independent queries, so as for simultaneously indexing.

Please Help...!!!

0 Karma

SplunkTrust
SplunkTrust

Since the column names are same in both the queries, you can simply use |append to concatenate the result of one query to another.

<Your query 1 which gives parameter, Value, Comments >
| append [ search <your query 2 which again gives paramter, Value, Comments>]

example
query 1: index=_internal | stats count by sourcetype 
query 2: index=main | stats count by sourcetype
both gives sourcetype and count as column

index=_internal | stats count by sourcetype 
| append [search index=main | stats count by sourcetype]

Ultra Champion

What about multisearch? The searches are run separately, and you can easily table the combined results.

| multisearch 
   [search index=a blah=bleh] 
   [search index=b blip=blop 
      | rename param AS Parameter 
      | rename val AS Value 
      | rename comment AS Comments] 
| table Parameter Value Comments

Indentation only for readability.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

/K

Explorer

Getting error - Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)

0 Karma

Motivator

You don't seem to need to do anything to the data once you have it together, right? So it should be pretty simple.

Lets say you have that gives you your first set of results, and for the second set of results.

If you do something like:

OR

It will give you a full list of all the events that either match your first set OR match your second set.

Note that you'll have to surround your with parenthesis, if there are multiple statements in it. Example: (index=myind1 source=*.log) OR index=myind2

Hope this helps

Champion

Hello,
You will not be able to do it that easily. So in the dashboard you need to have 2 panles in same row okay? First search will give you

    parameter   Value   Comments
     xyz        1223     abc

Second search you need to format and |rename parameter as "",Value as "", Comments as ""
And add it in the dashboard. Am not sure about the look and feel but this what can be done in your case as splunk doesn't have any option to remove the column header built-in

0 Karma

Champion

Yes you may want to play with using .css with sideviewutil's html module. The best bet would be a join statement rather than many other work arounds

0 Karma

Thanks linu,
Even I have tried the same, but even after keeping the headers blank, "up/down arrows" are still visible. Plus as the panels are different , there is much spacing between the panels.

0 Karma

Champion

Have updated the answer.

0 Karma

I want to run the queries independently, as running them on joining is taking much time.

0 Karma