Show result of multiple queries as rows of single ...

harshal_chakran · ‎01-02-2014

Hi,
I have a multiple search queries for which I have created separate panels in Dashboard, each showing the output as follows:

Query1:

parameter   Value   Comments
  xyz        1223     abc

Query2:

 parameter  Value   Comments
  x1y1z1      23      a1b1c1

I want to see the output in one table(Panel) showing the result as follows:

parameter     Value      Comments
  xyz         1223         abc
  x1y1z1       23        a1b1c1

I have tried to merge all the queries and display the output. But I still prefer to run the independent queries, so as for simultaneously indexing.

Please Help...!!!

somesoni2 · ‎01-02-2014

Since the column names are same in both the queries, you can simply use |append to concatenate the result of one query to another.

<Your query 1 which gives parameter, Value, Comments >
| append [ search <your query 2 which again gives paramter, Value, Comments>]

example
query 1: index=_internal | stats count by sourcetype 
query 2: index=main | stats count by sourcetype
both gives sourcetype and count as column

index=_internal | stats count by sourcetype 
| append [search index=main | stats count by sourcetype]

kristian_kolb · ‎01-02-2014

What about multisearch? The searches are run separately, and you can easily table the combined results.

| multisearch 
   [search index=a blah=bleh] 
   [search index=b blip=blop 
      | rename param AS Parameter 
      | rename val AS Value 
      | rename comment AS Comments] 
| table Parameter Value Comments

Indentation only for readability.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Multisearch

/K

vermabhi90 · ‎09-12-2019

Getting error - Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)

aholzer · ‎01-02-2014

You don't seem to need to do anything to the data once you have it together, right? So it should be pretty simple.

Lets say you have that gives you your first set of results, and for the second set of results.

If you do something like:

OR

It will give you a full list of all the events that either match your first set OR match your second set.

Note that you'll have to surround your with parenthesis, if there are multiple statements in it. Example: (index=myind1 source=*.log) OR index=myind2

Hope this helps

linu1988 · ‎01-02-2014

Hello,
You will not be able to do it that easily. So in the dashboard you need to have 2 panles in same row okay? First search will give you

    parameter   Value   Comments
     xyz        1223     abc

Second search you need to format and |rename parameter as "",Value as "", Comments as ""
And add it in the dashboard. Am not sure about the look and feel but this what can be done in your case as splunk doesn't have any option to remove the column header built-in

linu1988 · ‎01-02-2014

Yes you may want to play with using .css with sideviewutil's html module. The best bet would be a join statement rather than many other work arounds

harshal_chakran · ‎01-02-2014

Thanks linu,
Even I have tried the same, but even after keeping the headers blank, "up/down arrows" are still visible. Plus as the panels are different , there is much spacing between the panels.

linu1988 · ‎01-02-2014

Have updated the answer.

harshal_chakran · ‎01-02-2014

I want to run the queries independently, as running them on joining is taking much time.

Show result of multiple queries as rows of single Table (one query=one row)

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2