Splunk Search

append searches

Explorer

I appended 2 searches and each of them has "top Engineer" and now my result is like this.

Engineer Escalated Closed

Shaun 61
Smith 53
Arun 41
Sam 19
John 14
Jason 13
Eddy 12
Rich 9
Arun 114
John 93
Shaun 76
Eddy 74
Jason 46
Rich 38
Smith 16
Sam 12

How can I have a result like this ?
Engineer Escalated Closed

Shaun 61 76
Smith 53 16
Arun 41 114
Sam 19 12
John 14 93
Jason 13 46
Eddy 12 74
Rich 9 38

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

You could do one of two things:

search one | append [search two] | stats values(Escalated) as Escalated values(Closed) as Closed by Engineer

search one | join Engineer [search two]

The second approach will only work if the set of engineers in both searches is identical.

There probably is a third way to avoid the need to append altogether, do post your two searches so we can have a look.

View solution in original post

SplunkTrust
SplunkTrust

You could do one of two things:

search one | append [search two] | stats values(Escalated) as Escalated values(Closed) as Closed by Engineer

search one | join Engineer [search two]

The second approach will only work if the set of engineers in both searches is identical.

There probably is a third way to avoid the need to append altogether, do post your two searches so we can have a look.

View solution in original post

Splunk Employee
Splunk Employee

remember that the sub search for the append is limited to 10000 results.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!