i have two different searches there is nothing com...

dhirajyadav · ‎07-04-2018

query 1: index=lenovo sourcetype = ticketmaster | where Status in ("Assigned","In-Progress","New","Pending")
| stats dc(No) as LENOVO_COUNT by Status

query 2: sourcetype="remedy_incident" OR sourcetype="remedy_incident_task"
| where state in(1,2,14,16,18,22,40,62)
| eval Status = case(state = "1","New",state = "2","Active",state = "14","Pending",state = "16","Pending",state = "18","Pending",state = "22","Pending",state = "40","Pending",state = "62","Pending") | stats dc(number) as REMEDY_COUNT by Status

woodcock · ‎07-04-2018

Try this:

(index=lenovo sourcetype = ticketmaster) OR (sourcetype="remedy_incident" OR sourcetype="remedy_incident_task")
| where (Status IN("Assigned","In-Progress","New","Pending") OR state IN(1,2,14,16,18,22,40,62))
| eval Status = case(sourcetype = ticketmaster, Status, state = "1","New",state = "2","Active",state = "14","Pending",state = "16","Pending",state = "18","Pending",state = "22","Pending",state = "40","Pending",state = "62","Pending") 
| stats dc(No) AS LENOVO_COUNT dc(number) AS REMEDY_COUNT BY Status

renjith_nair · ‎07-04-2018

Hi @dhirajyadav,

How do you want to combine? What should be the final result?

Happy Splunking!

i have two different searches there is nothing common between both the search, I want to combine both the result as one.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!