Solved: Re: Use the value of my first search in my second ...

exchanger · ‎03-24-2021

Hello,

With Appendcols I now have both values in one line. However, I would like to compare the values with each other.
As an example:
"mysearch " stats dc(User) as User1 |
appendcols [search "my2search" |
stats dc(User) as User2 ]

Now as result I get
User1 User2
500 1000
Now I would like to compare the two values in the same query, for example multiply User1 with User2 or similar. How can I include this in the search?

scelikok · ‎03-24-2021

Hi @exchanger,

You are almost there if I understood correctly;

"mysearch " stats dc(User) as User1 
| appendcols 
    [ search "my2search" 
    | stats dc(User) as User2 ]
| eval result=User1*User2

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

bowesmana · ‎03-24-2021

Just keep adding more commands as necessary, for example

"mysearch " 
| stats dc(User) as User1
| appendcols [
  search "my2search"
  | stats dc(User) as User2 ]
| eval MultiplyResult=User1 * User2
| eval WhichIsBigger=case(User1 > User2, "User1 is bigger", User2 > User1, 
 "User2 is bigger", 1==1, "The users are equal")

Hope this helps

scelikok · ‎03-24-2021

Hi @exchanger,

You are almost there if I understood correctly;

"mysearch " stats dc(User) as User1 
| appendcols 
    [ search "my2search" 
    | stats dc(User) as User2 ]
| eval result=User1*User2

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Use the value of my first search in my second search (append)

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!