Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Table from two separate searches and sourcetypes

Brainstorms
Explorer
‎10-02-2021 10:11 AM

So, to preface this, I am very new to Splunk. 
The end game is to make a chart overlay, but that's not my main question here.

I have two searches with very similar information being returned. I need to make a table with information from both searches and I just can't seem to manage it. I have tried append, appendcols, multisearch, etc. The problem is that I cannot use OR for the sourcetype because the two sourcetypes have extremely similar information in them and the queries to pull from them are the exact same.
Example:

First:

index = indexa sourcetype = sourcetypeA 
| count X as "Result A"
| other logic etc
| table month_year "Result A"
 
Second:

index= indexa sourcetype = sourcetypeB
| count X as "Result B"
| other logic etc
| table month_year "Result B"

Ultimately I'd want the results to say:

month_YearResult BResult A
infoinfoinfo


Right now when I attempt to do anything, it just skips out on "Result B" entirely. I know there must be some simple way I'm just missing. If anyone could help me out I'd really appreciate it, this is driving me crazy.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-02-2021 10:18 AM

Perhaps this will help.

index = indexa (sourcetype = sourcetypeA  OR sourcetype = sourcetypeB)
| stats sum(eval(sourcetype=sourcetypA) as "Result A", sum(eval(sourcetype=sourcetypeB) as "Result B"
| other logic etc
| table month_year "Result A" "Result B"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-02-2021 10:18 AM

Perhaps this will help.

index = indexa (sourcetype = sourcetypeA  OR sourcetype = sourcetypeB)
| stats sum(eval(sourcetype=sourcetypA) as "Result A", sum(eval(sourcetype=sourcetypeB) as "Result B"
| other logic etc
| table month_year "Result A" "Result B"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Brainstorms
Explorer
‎10-02-2021 10:59 AM

THANK YOU. I knew I was close in some of my attempts but I just couldn't make the connection. This worked for me exactly as needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...