Solved: can I join report results

MonkeyK · ‎12-07-2017

Say I have two scheduled reports with results like:

report1 - source destination score1
report2 - source destination score2

how can I join the results of these two scheduled reports so that I can see
combined report: source destination score1 score2

(note, the actual reports are far more complex and I cannot simply combine the queries to make one new report)
I have considered (and solved) writing the output to a lookup table and doing the joins from those. There is some appeal to that, but I would like to know how to do it without lookup tables.

cmerriman · ‎12-07-2017

you sure can!

I would try to use loadjob
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Loadjob

| loadjob savedsearch="username:appname:report1"|fields source destination score1|join source destination [| loadjob savedsearch="username:appname:report2"|fields source destination score2]

tweak as needed.

View solution in original post

jplumsdaine22 · ‎12-07-2017

Have a look at the | savedsearch or |loadjob commands

Basically you can run

| loadjob savedsearch="<user-string>:<app-string>:report1"| append [| loadjob savedsearch="<user-string>:<app-string>:report2"]

cmerriman · ‎12-07-2017

you sure can!

I would try to use loadjob
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Loadjob

| loadjob savedsearch="username:appname:report1"|fields source destination score1|join source destination [| loadjob savedsearch="username:appname:report2"|fields source destination score2]

tweak as needed.

MonkeyK · ‎12-07-2017

Works great! Thanks cmerriman!

can I join report results

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life