Splunk Search

Use the value of my first search in my second search (append)

exchanger
Path Finder

Hello,

 

With Appendcols I now have both values in one line. However, I would like to compare the values with each other.
As an example:
"mysearch " stats dc(User) as User1 |
appendcols [search "my2search" |
stats dc(User) as User2 ]

Now as result I get
User1 User2
500     1000
Now I would like to compare the two values in the same query, for example multiply User1 with User2 or similar. How can I include this in the search?

 

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @exchanger,

You are almost there if I understood correctly;

"mysearch " stats dc(User) as User1 
| appendcols 
    [ search "my2search" 
    | stats dc(User) as User2 ]
| eval result=User1*User2
If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Just keep adding more commands as necessary, for example

 

"mysearch " 
| stats dc(User) as User1
| appendcols [
  search "my2search"
  | stats dc(User) as User2 ]
| eval MultiplyResult=User1 * User2
| eval WhichIsBigger=case(User1 > User2, "User1 is bigger", User2 > User1, 
 "User2 is bigger", 1==1, "The users are equal")

 

 Hope this helps

 

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @exchanger,

You are almost there if I understood correctly;

"mysearch " stats dc(User) as User1 
| appendcols 
    [ search "my2search" 
    | stats dc(User) as User2 ]
| eval result=User1*User2
If this reply helps you an upvote is appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...