Solved: Re: append two search result by #

crazyeva · ‎09-18-2012

I want to append two (or more) search results by event number
search1:
# _raw
1 a
2 b
3 c
search2:
# _raw
1 x
2 y
3 z
I want a result as:
# raw1 raw2
1 a x
2 b y
3 c z
Any one could help me? Thanks

Ayn · ‎09-18-2012

You could use appendcols. The only caveat is that it requires a stats command to be run before it, so you can't use it with table. You could work around this by grabbing the _raw fields one by one anyway, like below.

search1 | stats first(_raw) as raw1 by _raw | appendcols [search search2 | stats first(_raw) as raw2 by _raw]

View solution in original post

Ayn · ‎09-18-2012

You could use appendcols. The only caveat is that it requires a stats command to be run before it, so you can't use it with table. You could work around this by grabbing the _raw fields one by one anyway, like below.

search1 | stats first(_raw) as raw1 by _raw | appendcols [search search2 | stats first(_raw) as raw2 by _raw]

crazyeva · ‎09-21-2012

Thank you! its very cool of "first() by _raw" much better than "list"
Does first(filed1) by filed1 mean "value"?

append two search result by #

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?