Please help me in this query.
--I have a query which produces result like
uid user ip
1001 xyz 1.1.1.1
1002 abc 1.1.1.1
--another query which returns
ip logintime loginLength
xyz 10:00 180
abc 15:00 280
=>how can i combine the result like
uid loginlength
1001 180
1002 280
Thanks !
first get the first query data i.e uid and user as index=your_index_name | stats count by uid user
then map it with second query as | map search="search index=your_index_name
ip=$user$ and then display as | stats first(loginLength) as $uid$
final query is
***index=your_index_name | stats count by uid user
| map search="search index=your_index_name
ip=$user$ | stats first(loginLength) as $uid$* | transpose"**
It would be a great help if you posted your searches. Also check out this handy guide on event correlation:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Search/Abouteventcorrelation
Without knowing your searches, the suggestion would be this
your first search giving uid, user, ip | append [ your second search giving ip logintime loginLength ] | stats values(loginLength) as loginLenght by uid
There may be an option to avoid subsearch, but we can see unless we see your actual searches.