i have two different searches there is nothing com...

dhirajyadav · ‎07-04-2018

query 1: index=lenovo sourcetype = ticketmaster | where Status in ("Assigned","In-Progress","New","Pending")
| stats dc(No) as LENOVO_COUNT by Status

query 2: sourcetype="remedy_incident" OR sourcetype="remedy_incident_task"
| where state in(1,2,14,16,18,22,40,62)
| eval Status = case(state = "1","New",state = "2","Active",state = "14","Pending",state = "16","Pending",state = "18","Pending",state = "22","Pending",state = "40","Pending",state = "62","Pending") | stats dc(number) as REMEDY_COUNT by Status

woodcock · ‎07-04-2018

Try this:

(index=lenovo sourcetype = ticketmaster) OR (sourcetype="remedy_incident" OR sourcetype="remedy_incident_task")
| where (Status IN("Assigned","In-Progress","New","Pending") OR state IN(1,2,14,16,18,22,40,62))
| eval Status = case(sourcetype = ticketmaster, Status, state = "1","New",state = "2","Active",state = "14","Pending",state = "16","Pending",state = "18","Pending",state = "22","Pending",state = "40","Pending",state = "62","Pending") 
| stats dc(No) AS LENOVO_COUNT dc(number) AS REMEDY_COUNT BY Status

renjith_nair · ‎07-04-2018

Hi @dhirajyadav,

How do you want to combine? What should be the final result?

---
What goes around comes around. If it helps, hit it with Karma 🙂

i have two different searches there is nothing common between both the search, I want to combine both the result as one.

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

i have two different searches there is nothing common between both the search, I want to combine both the result as one.

Splunk Search APIを使えば調査過程が残せます

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!