Splunk Search

Can you combine fields from multiple search in one table?

nieivan
New Member

Hi

I'm trying to combine fields in multiple search result in one output table as overall result, for example:

Search 1 result
time1,username1,condition1

Search 2 result
time1,username1,condition2

Output table
time1,username1,condition1,condition2

Hope I make the question clear.

Thanks!

0 Karma

nieivan
New Member

Thanks,

the example of my search are following
search 1

index=devicelogs host=IP address  check_result="*" | table time,user,check_result

result 1

time,user,check_result

search 2

index=devicelogs host=IP address  client_version="*" | table time,user,client_version

result 2

time, user, client_version

I need to combine the results into one table, which looks like:

time,user,check_result,client_version
0 Karma

cmerriman
Super Champion

can you provide the searches that create those results?

try something like this to create one search:

index=index1 OR index=index2
|eval condition1=if(index="index1",condition,null())
|eval condition2=if(index="index2",condition,null())
|stats values(condition1) as condition1 values(condition2) as condtion2 by time username

or you can use join type=left username time with the two searches. however, there are limits with join.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...