Solved: Use the value of my first search in my second sear...

exchanger · ‎03-24-2021

Hello,

With Appendcols I now have both values in one line. However, I would like to compare the values with each other.
As an example:
"mysearch " stats dc(User) as User1 |
appendcols [search "my2search" |
stats dc(User) as User2 ]

Now as result I get
User1 User2
500 1000
Now I would like to compare the two values in the same query, for example multiply User1 with User2 or similar. How can I include this in the search?

scelikok · ‎03-24-2021

Hi @exchanger,

You are almost there if I understood correctly;

"mysearch " stats dc(User) as User1 
| appendcols 
    [ search "my2search" 
    | stats dc(User) as User2 ]
| eval result=User1*User2

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

bowesmana · ‎03-24-2021

Just keep adding more commands as necessary, for example

"mysearch " 
| stats dc(User) as User1
| appendcols [
  search "my2search"
  | stats dc(User) as User2 ]
| eval MultiplyResult=User1 * User2
| eval WhichIsBigger=case(User1 > User2, "User1 is bigger", User2 > User1, 
 "User2 is bigger", 1==1, "The users are equal")

Hope this helps

scelikok · ‎03-24-2021

Hi @exchanger,

You are almost there if I understood correctly;

"mysearch " stats dc(User) as User1 
| appendcols 
    [ search "my2search" 
    | stats dc(User) as User2 ]
| eval result=User1*User2

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Use the value of my first search in my second search (append)

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Use the value of my first search in my second search (append)

stats

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers