- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- "Join" search and sub search and sum value of over...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to combine the results of a search and subsearch. They have overlapping fields but different result sets. There is some overlap in the 2 result sets and I want to combine the 2 result sets and add the values of 1 field for the overlapping results (i.e. I have a "volume" column and I want to add the value for "apple" volume in search A with the "apple" volume in Search B and end up with a single "apple" record in the combined resultset.
I've tried join, append, and appendcols and can't figure out how to add the values of an overlapping record. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not 100% sure I understand what you are trying to do, but I'll take a stab at this. What you probably want to do, is rename the fields in your subsearch so they have different names than the main search (so use | rename apple as subapple in "Search B"). Then join the two searches with the join command (make sure you use an inner or outer join as appropriate). The resultant joined events will have an "apple" and a "subapple" field. You can then append | eval apple = apple + subapple to sum the two fields and store that value as the new "apple".
There are other variations of the above (such as using multivalued fields) that would also work, but that will be the easiest to get working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not 100% sure I understand what you are trying to do, but I'll take a stab at this. What you probably want to do, is rename the fields in your subsearch so they have different names than the main search (so use | rename apple as subapple in "Search B"). Then join the two searches with the join command (make sure you use an inner or outer join as appropriate). The resultant joined events will have an "apple" and a "subapple" field. You can then append | eval apple = apple + subapple to sum the two fields and store that value as the new "apple".
There are other variations of the above (such as using multivalued fields) that would also work, but that will be the easiest to get working.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
