Splunk Search

How to join two searches for stats command

prakashbhanu407
New Member

I have 2 queries and need to show the result of both in one table

index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)
Daily Query Output

index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)

both the above queries work individually but when joined as below

index=someindex queryType="ts" filename=RECON status=1| dedup filename |rename filename as Weekly| join queryType [search index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily ]| stats count(Daily),count(Weekly)

gives incorrect output

Joined query output

0 Karma
1 Solution

fdi01
Motivator

try like

index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)|appendcols  [search index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)]

View solution in original post

fdi01
Motivator

try like

index=someindex queryType="ts" filename=PNASC.HRBDT status=1 | dedup filename |rename filename as Daily| stats count(Daily)|appendcols  [search index=someindex queryType="ts" filename=RECON status=1 | dedup filename |rename filename as Weekly | stats count(Weekly)]

seeyonraj
Engager

Perfect!

0 Karma

prakashbhanu407
New Member

I was trying Joining the 2 searches but "appendcols" worked like a charm...thanks.

0 Karma

sk314
Builder

I am not sure why you are deduping. Assuming that's what you want...try this:

index=someindex queryType="ts" filename=RECON OR filename=PNASC.HRBDT status=1| dedup filename | stats count by  filename
0 Karma

prakashbhanu407
New Member

The files have date timestamp extension and I need to show them bundled by the types...hence this will not work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...