Solved: Re: Use the value of my first search in my second ...

exchanger · ‎03-24-2021

Hello,

With Appendcols I now have both values in one line. However, I would like to compare the values with each other.
As an example:
"mysearch " stats dc(User) as User1 |
appendcols [search "my2search" |
stats dc(User) as User2 ]

Now as result I get
User1 User2
500 1000
Now I would like to compare the two values in the same query, for example multiply User1 with User2 or similar. How can I include this in the search?

scelikok · ‎03-24-2021

Hi @exchanger,

You are almost there if I understood correctly;

"mysearch " stats dc(User) as User1 
| appendcols 
    [ search "my2search" 
    | stats dc(User) as User2 ]
| eval result=User1*User2

If this reply helps you an upvote is appreciated.

View solution in original post

bowesmana · ‎03-24-2021

Just keep adding more commands as necessary, for example

"mysearch " 
| stats dc(User) as User1
| appendcols [
  search "my2search"
  | stats dc(User) as User2 ]
| eval MultiplyResult=User1 * User2
| eval WhichIsBigger=case(User1 > User2, "User1 is bigger", User2 > User1, 
 "User2 is bigger", 1==1, "The users are equal")

Hope this helps

scelikok · ‎03-24-2021

Hi @exchanger,

You are almost there if I understood correctly;

"mysearch " stats dc(User) as User1 
| appendcols 
    [ search "my2search" 
    | stats dc(User) as User2 ]
| eval result=User1*User2

If this reply helps you an upvote is appreciated.

Use the value of my first search in my second search (append)

stats

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control