Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine search and sub search without losing records?

atornes
Path Finder
‎01-03-2012 03:35 PM

I am performing a search and sub search and would like to combine the results into a single result set. I have run the 2 searches individually and have an idea of what the combined result set should be. I have tried to join, append, appendcol the sub search with all of the different options inner/outer join, overwrite/override=true/false, etc. and in all of these cases, my result set is missing records that should be in there (i.e. combined i should have like 30 unique records but the max I get is 10).

Any idea what might be going on? There are some records that appear in both searches and some that are only in 1. In most cases, it seems like the sub search results are the ones that are missing.

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

atornes
Path Finder
‎01-05-2012 01:13 PM

Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

atornes
Path Finder
‎01-05-2012 01:13 PM

Figured it out with an append then running another running another stats command to add values from both result sets and grouping by the primary key

0 Karma
Reply
Solved! Jump to solution

atornes
Path Finder
‎01-05-2012 01:22 PM

I can't share my data, as its private customer data, but i can walk you through it in pseudo code and maybe that will help...

sourcetype=X | Where Var1=a OR (Var2=b OR Var2=d) OR Var3=g | stats count(var1), sum(var2), sum(var3) by var4 | append [search sourcetype=X | Where (Not var1=a) AND (var2=c OR var2=f) | stats count(var1), su(var2), sum(var3) by var4]

The append, combined my result sets, but it resulted in duplicates of var4. So then I added another stats command like: stats sum(var1), sum(var2), sum(var3) by var4. This combined the duplicates and added the values.

That Help?

0 Karma
Reply
Solved! Jump to solution

howyagoin
Contributor
‎01-05-2012 01:14 PM

Would you be willing to share an example? I've been battling with this one for a while and it might save some time...thanks!

0 Karma
Reply
Solved! Jump to solution

lpolo
Motivator
‎01-04-2012 11:32 AM

so provide the events samples and query so we can help....

0 Karma
Reply
Solved! Jump to solution

atornes
Path Finder
‎01-04-2012 08:16 AM

time is not the issue, the sub search runs quickly

The sub search has 9 results/events

0 Karma
Reply
Solved! Jump to solution

lpolo
Motivator
‎01-04-2012 08:12 AM

You might be facing a sub-search limitation. To help you let's know how many events your sub-search has...

0 Karma
Reply
Solved! Jump to solution

bbingham
Builder
‎01-03-2012 06:42 PM

how long does your sub search take to run?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...