Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine search and sub search without losing records?

atornes
Path Finder
‎01-03-2012 03:35 PM

I am performing a search and sub search and would like to combine the results into a single result set. I have run the 2 searches individually and have an idea of what the combined result set should be. I have tried to join, append, appendcol the sub search with all of the different options inner/outer join, overwrite/override=true/false, etc. and in all of these cases, my result set is missing records that should be in there (i.e. combined i should have like 30 unique records but the max I get is 10).

Any idea what might be going on? There are some records that appear in both searches and some that are only in 1. In most cases, it seems like the sub search results are the ones that are missing.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

atornes
Path Finder
‎01-05-2012 01:13 PM

Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

atornes
Path Finder
‎01-05-2012 01:13 PM

Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key

0 Karma
Reply
Solved! Jump to solution

atornes
Path Finder
‎01-05-2012 01:22 PM

I can't share my data, as its private customer data, but i can walk you through it in pseudo code and maybe that will help...

sourcetype=X | Where Var1=a OR (Var2=b OR Var2=d) OR Var3=g | stats count(var1), sum(var2), sum(var3) by var4 | append [search sourcetype=X | Where (Not var1=a) AND (var2=c OR var2=f) | stats count(var1), su(var2), sum(var3) by var4]

The append, combined my result sets, but it resulted in duplicates of var4. So then I added another stats command like: stats sum(var1), sum(var2), sum(var3) by var4. This combined the duplicates and added the values.

That Help?

0 Karma
Reply
Solved! Jump to solution

howyagoin
Contributor
‎01-05-2012 01:14 PM

Would you be willing to share an example? I've been battling with this one for a while and it might save some time...thanks!

0 Karma
Reply
Solved! Jump to solution

lpolo
Motivator
‎01-04-2012 11:32 AM

so provide the events samples and query so we can help....

0 Karma
Reply
Solved! Jump to solution

atornes
Path Finder
‎01-04-2012 08:16 AM

time is not the issue, the sub search runs quickly

The sub search has 9 results/events

0 Karma
Reply
Solved! Jump to solution

lpolo
Motivator
‎01-04-2012 08:12 AM

You might be facing a sub-search limitation. To help you let's know how many events your sub-search has...

0 Karma
Reply
Solved! Jump to solution

bbingham
Builder
‎01-03-2012 06:42 PM

how long does your sub search take to run?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...