Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I combine my two searches to get expected results?

Joshua
Explorer
‎05-23-2016 05:01 AM

Hi,

Can someone help me?
I have the searches below and need to be combine the two to display the expected results:

    LastWKTotal ThisWKTotal Difference
ABC         
DEF         
GHI         
.

Searches:

index=xxx host=xxx sourcetype=ABC* Agent_NumberOfAgents=* earliest=-14d@d latest=-7d@d | dedup host | stats sum(Agent_NumberOfAgents) as LastWKTotal | appendcols [search index=XXX host=xxx sourcetype=ABC* Agent_NumberOfAgents=* earliest=-7d@d latest=now | dedup host | stats sum(Agent_NumberOfAgents) as ThisWKTotal] | eval Platform="ABC" | eval Difference=ThisWKTotal-LastWKTotal

and 

index=XXX host=XXX sourcetype=ABC* Agent_NumberOfAgents=* earliest=-14d@d latest=-7d@d | dedup host | stats sum(Agent_NumberOfAgents) as LastWKTotal | appendcols [search index=XXX host=XXX sourcetype=ABC* Agent_NumberOfAgents=* earliest=-7d@d latest=now | dedup host | stats sum(Agent_NumberOfAgents) as ThisWKTotal ] | eval Platform="DEF" | eval Difference=ThisWKTotal-LastWKTotal

Thanks in Advance

0 Karma
Reply

somesoni2
Revered Legend
‎05-23-2016 09:05 AM

Give this a try

index=xxx host=xxx (sourcetype=ABC* OR sourcetype=DEF*) Agent_NumberOfAgents=* earliest=-14d@d latest=now 
| eval Platform=if(like(sourcetype,"ABC%"),"ABC","DEF") 
| eval week=if(_time>=relative_time(now(),"-7d@d"),"ThisWKTotal","LastWKTotal") 
| dedup week Platform host 
| chart sum(Agent_NumberOfAgents) over Platform by week | eval Difference=ThisWKTotal-LastWKTotal
0 Karma
Reply

gabriel_vasseur
Contributor
‎05-23-2016 06:41 AM

If I understand what you mean, you just want to daisy-chain results from different searches... you should be able to do that simply with:

<INSERT_FIRST_SEARCH_HERE> | append [ search <INSERT_SECOND_SEARCH_HERE> ] | append [ search <INSERT_THIRD_SEARCH_HERE> ]

Etc.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-23-2016 05:30 AM

should sourcetypes be DEF* in the 2nd search? ...

should both searches provided by combined together, or are they examples of you trying to combine 2 searches together?

I ask because they are the same exact search only in the 2nd one you eval Platform="DEF" at the very end.

Also, would be great if you provided example data.

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...