Splunk Search

How do I get results of all values in 2 subqueries?

Anantha123
Communicator

i have 2 of the same subqueries in my search with different time periods. So, both results are different.

If I use "appendcols" , the results shown are incorrect. The values jump to fillfull some empty fields in between.

If I use "join", it's like self join or inner join. it gives results that are in common in both queries.

if i use "join type=left", i am not getting the results from query 2 that are not there in query 1, as it considers query 1 to be primary .

I want all the results of subquery1 and subquery2 even if they are not there in any one of the subqueries (like union).

Please help.

0 Karma

vnravikumar
Champion

Hi @Anantha123

Try

firstquery|append[| second query]
0 Karma

Anantha123
Communicator

append wont help me as i want the results of both queries combined . I will get below result if I use append.

Result of 1st Query

Operation1 Failure1
Operation2 Failure2
Operation3 Failure3

Results of 2nd Query
Operation1 Total1
Operation2 Total2
Operation4 Total4

If I use append , I will get result as below
Operation1 Failure1 0
Operation2 Failure2 0
Operation3 Failure3 0
Operation1 0 Total1
Operation2 0 Total2
Operation4 0 Total4

I want output as
Operation1 Failure1 Total1
Operation2 Failure2 Total2
Operation3 Failure3 0

Operation4 0 Total4

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...