Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

results into a single row table

fresned
Path Finder
‎08-16-2012 01:30 PM

Hi,

I have three search results giving me three different set of results, there are values from each search. I have not been able to find a way to get the results into a single row table.

I need merge all these result into a single row in a single table.

The structure of the search I have used is given below.

[ search 1 ]

[ search 2 ]

[ search 3 ]

the resulting table should look like

 up             failed                  success            down

results search1 results search2 results search2 results search3

Appreciate any help!

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎08-16-2012 04:45 PM

Seeing the example searches and data would be useful indeed. Without them, though, we can still do some handwaving toward an answer. This may not be correct, depending on your exact searches, but it should get you in the ballpark.

Let's start by putting all three of your searches together. This is far from the most efficient way, but it's what works with all I have to go on:

search1 | append [ search search2 ] | append [ search search3]

The append search command will run each of these three searches and append their results together. The additional word search in the subsearches for search2/search3 is required as part of the subsearch.

Now, I'll make an assumption that "search1" returns an extracted field named "up", "search2" returns extracted fields named "failed" and "success", and "search3" returns an extracted field named "down". I'll also assume that the field names "up", "failed", "success", and "down" are unique and exclusive to their respective searches. (That is, "search1" does NOT have an extracted field named "failed", "success", or "down" ... and so on)

Given the above assumptions, we know that the stats operation max() should only find a single value to be "the" maximum for a given field. So, we can use stats to collapse this into a single table row:

... (above search) ... 
| stats max(up) as up, max(failed) as failed, max(success) as success, max(down) as down

Giving you a single table row for results from all three searches ...

Reply

tfletcher_splun
Splunk Employee
Splunk Employee
‎08-16-2012 02:21 PM

Can you post the searches?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...