Splunk Search

Can I append results from 2 different sourcetypes?

xvxt006
Contributor

Hi,

I am trying to append results from 2 different sources and i am not seeing results populated especially for the sub search. Most of the times first search will not have any values (in timechart it would be 0s but subsearch will have always values as it is response time). But it is not showing any values for the subsearch. i have tried join, etc but no use. basically i am trying to view response time over time on top of first search results.

sourcetype=X    date_hour > 8 date_hour < 19 date_wday!=Sunday date_wday!=Saturday | timechart  count  | appendcols [search sourcetype=Y | timechart avg(rt_sec) as RespTime]
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this workaround

sourcetype=X    date_hour > 8 date_hour < 19 date_wday!=Sunday date_wday!=Saturday | timechart  count  | append [search sourcetype=Y | timechart avg(rt_sec) as RespTime] | stats first(*) as * by _time
0 Karma

xvxt006
Contributor

I am able to get results if i use left join and have max value specified. Like this...join type=left max=600 _time

0 Karma

xvxt006
Contributor

i am not getting the 2nd column at all. I have switched base search vs sub search

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Also, since the subsearch always returns values, can you make it base search and use base search (which doesn't return result always) as subsearch? You can use table command to correct the order of the field.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try without the last stats and let me know the columns you're getting...

0 Karma

xvxt006
Contributor

i have tried to use stats with having bucket _time i see 2 columns but as the first part has only few values i am not seeing data points when it is missing values

0 Karma

xvxt006
Contributor

Hi, I am not getting any results if i use that

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...