Splunk Search

Joining two similar tabular search results?

dbryan
Path Finder

I'm trying to collate result sets from two different, slightly similar subsearches.

I have one search like this:

`search_visits` | stats count by Domain, Page | eval Visits = count

And another like this:

`search_conversions` | stats count by Domain, Page | eval Conversions = count

I want to combine these to get a report with this structure:

 Domain, Page, Visits, Conversions

So that I can see each combination of Domain/Page pairs and how many Visits and Conversions each of them is associated wiith.

I thought I could just do this:

`search_visits` | stats count by Domain, Page | eval Visits = count | join type=outer Domain, Page [search `search_conversions` | stats count by Domain, Page | eval Conversions = count] | fields Domain, Page, Visits, Conversions

But if I run a search like this, I just get null values for the conversion column. Any idea what I'm doing wrong?

Tags (2)
0 Karma

woodcock
Esteemed Legend

You should be able to chain as many searches as you like this way (but beware limits for subsearch😞

`search_visits` | stats count AS Visits BY Domain Page | append [search `search_conversions` | stats count AS Conversions BY Domain Page] | append [search `search_leads` | stats count AS Leads BY Domain Page] | stats values(*) AS * by Domain Page
0 Karma

lguinn2
Legend

I think you should chain these. Can you show the searches that worked? For example, can you show want worked for joining A & B, along with the search for C?

0 Karma

dbryan
Path Finder

I've actually got this working for joining two of these tables; the problem is not when I join three.

I have tables A, B and C. Let's say they have the following format:

Table A:
Domain, Page, Visits

Table B:
Domain, Page, Leads

Table C:
Domain, Page, Conversions

And I want to generate a report with the following format:

Domain, Page, Visits, Leads, Conversions

I've verified that joining A with B works, as does joining B with C, and A with C. Trying to join A, B and C doesn't work. Should I be chaining subsearches, or should I be nesting them?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...