Splunk Search

Combine 2 searches into one pie chart

HMIPowell
Explorer

How can the following 2 searches be used in a single Pie Chart?

SEARCH ONE
index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" | rex field=Message "\S*user (?<ValueOne>\S*)" | dedup ValueOne | Stats Count

SEARCH TWO
index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," | rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)"| dedup ValueTwo | Stats Count

I can join both the statements, but that doesn't allow them both to be used in a single chart.  Seems one carries precedence over the other. 

Also tried
( index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" | rex field=Message "\S*user (?<ValueOne>\S*)" | dedup ValueOne ) OR ( index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," | rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)"| dedup ValueTwo ) | stats count by index | replace security with TestOne network with TestTwo

that gives a unbalanced parentheses error

 

Labels (3)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@HMIPowell 

Are you looking for this?

index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" 
| rex field=Message "\S*user (?<ValueOne>\S*)" 
| dedup ValueOne 
| append [ search index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," 
| rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)" 
| dedup ValueTwo ]
| stats count by index 
| replace security with TestOne network with TestTwo

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@HMIPowell 

Are you looking for this?

index=security host=THAT* OR host=THIS* SourceName="Microsoft-AzureMfa-AuthZ" "Access Accepted" 
| rex field=Message "\S*user (?<ValueOne>\S*)" 
| dedup ValueOne 
| append [ search index=network source="D:\\Radlogs\\IN*.log" SOMETHING1* "4136,2," 
| rex "(?:[^,]*,\s*){1}(?<ValueTwo>\w+)" 
| dedup ValueTwo ]
| stats count by index 
| replace security with TestOne network with TestTwo

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

HMIPowell
Explorer

Exacty that!  Thanks for the quick response!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@HMIPowell 

Glad to help you.

Happy Splunking 

KV

 

0 Karma