Refine your search:


I have three search results giving me three different set of results, in which three is one common filed called object and the number of results in each results may vary. I have used append to merge these results but i am not happy with the results. I need merge all these result into a single table.

The structure of the search I have used is given below. (its only a sample)

serach 1 | stats .... by object
append [ search2 | stats ..... by object
append [ search3 | stats ...... by object

Results after append

OBJECT  COUNT   Requests    Uniuqe
http    100
rtsp    250

http            25
rtsp            21
rtmp            10

http                        10
rtsp                        11

What i need is as below.

OBJECT  COUNT   Requests    Uniuqe
http    100     25          10
rtsp    250     21          11
rtmp            10

How can I do this. Can i use join instead of append ?

asked 06 Feb '12, 20:26

KarunK's gravatar image

accept rate: 18%

It's a bit hard to tell, since you don't give an example of the actual logs. Join can be a very expensive operation, and should probably be avoided if possible.

Are there three different sourcetypes involved?


(06 Feb '12, 22:59) kristian.kolb ♦

Yes there are different sourcetype involved.

I have figured out a way to do it with join. But not sure whether this is the best way.

Any Comments ?

search 1 | stats .... by object | join type=outer object [ search2 | stats ..... by object | join type=outer object [ search3 | stats ...... by object

(07 Feb '12, 14:33) KarunK

The above soln seems to be not working. It only looks for the field - object in the first search and try to join the respective results from search 2 and search 3.

What I was looking for was to complete merger of the three results that means I would like to see the results from search 2 and search 3 in the final results even though corresponding object is missing in search 1.

Any ideas .....

Please help ???

Thanks in Advance

(09 Feb '12, 20:13) KarunK

3 Answers:

Couldn't you just move the stats command to the end of your query?

search 1 | append [ search2 ] | append [search 3] | stats ..... by object

answered 10 Feb '12, 01:28

Ayn's gravatar image

Ayn ♦
accept rate: 40%

Nope its not working I am getting less no: of results than when I search separately and add them together.

(12 Feb '12, 17:26) KarunK

Use 'appendcols'


answered 08 Mar '12, 04:04

ramab's gravatar image

accept rate: 0%


The actual search string is shown below.

(sourcetype="mms_export" c_status=200) OR (sourcetype="we_accesslog" " NOT *.isml) 
|stats sum(sc_bytes) as sum_m sum(Bytes_Xferred) as sum_http by client_ip
|join type=outer client_ip [search (sourcetype="we_accesslog"  *.isml) | stats sum(Bytes_Xferred) as sum_smooth by client_ip ] 
|join type=outer client_ip [search (sourcetype="fms_access" ) | chart sum(sc_bytes) as sum by client_ip, x_event | eval diff_flash=disconnect-connect ]
| fillnull sum_m sum_http sum_smooth diff_flash
| eval WMT(GB)= round(sum_m/(1024*1024*1024),4) 
| eval WEB_HTTP(GB)= round(sum_http/(1024*1024*1024),4) 
| eval WEB_SMOOTH(GB) = round(sum_smooth/(1024*1024*1024),4) 
| eval flash(GB)=round(diff_flash/(1024*1024*1024),4)
| fields client_ip WMT(GB) WEB_HTTP(GB) WEB_SMOOTH(GB) flash(GB) | addtotals

answered 12 Feb '12, 17:30

KarunK's gravatar image

accept rate: 18%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions



Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 06 Feb '12, 20:26

Seen: 4,885 times

Last updated: 08 Mar '12, 04:04

Copyright © 2005-2014 Splunk Inc. All rights reserved.