Re: Can you combine fields from multiple search in...

roopasree · ‎06-12-2018

Hi

I'm trying to combine fields in multiple search result in one output table as overall result, for example:

Search 1 result
Date,open ,close

Search 2 result
incident ,type1,result

Output table
Date,open ,close,incident ,type1,result

Hope question is clear

Thanks

PowerPacked · ‎06-12-2018

Hi @roopasree

There should be a common field in main & sub search to map the results correctly,

if you want to just append the columns use the above answer ----- appendcols, append commands should work for that.

if you want to map the results between main and sub search based on a specific field ----- join command should work for you.

main search | fields date,open,close,incidentnum | join incidentnum [search subsearch | fields incident,type1,result,incidentnum] | stats c by date,open,close,incidentnum,incident,type1,result

Thanks

jowenssi · ‎06-12-2018

Sure, just use | appendcols

search foo | fields date,open,close | appendcols [ search bar | fields incident,type1,result]

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Appendcols

pradeepkumarg · ‎06-12-2018

How will you know what rows from result 1 relate to what rows in result 2? Is there not a common field between the two datasets?

roopasree · ‎06-13-2018

@gpradeepkumarreddy yes there is no comman field among two datasets

Can you combine fields from multiple search in one table?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk