Splunk Search

append searches

karthik4455
Explorer

I appended 2 searches and each of them has "top Engineer" and now my result is like this.

Engineer Escalated Closed

Shaun 61
Smith 53
Arun 41
Sam 19
John 14
Jason 13
Eddy 12
Rich 9
Arun 114
John 93
Shaun 76
Eddy 74
Jason 46
Rich 38
Smith 16
Sam 12

How can I have a result like this ?
Engineer Escalated Closed

Shaun 61 76
Smith 53 16
Arun 41 114
Sam 19 12
John 14 93
Jason 13 46
Eddy 12 74
Rich 9 38

Tags (1)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

You could do one of two things:

search one | append [search two] | stats values(Escalated) as Escalated values(Closed) as Closed by Engineer

search one | join Engineer [search two]

The second approach will only work if the set of engineers in both searches is identical.

There probably is a third way to avoid the need to append altogether, do post your two searches so we can have a look.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

You could do one of two things:

search one | append [search two] | stats values(Escalated) as Escalated values(Closed) as Closed by Engineer

search one | join Engineer [search two]

The second approach will only work if the set of engineers in both searches is identical.

There probably is a third way to avoid the need to append altogether, do post your two searches so we can have a look.

View solution in original post

yannK
Splunk Employee
Splunk Employee

remember that the sub search for the append is limited to 10000 results.

0 Karma