Reference post
https://community.splunk.com/t5/Splunk-Search/How-to-align-events-returned-by-two-separate-searches-in-a-table/m-p/475647#M133670
Hi Team,
I have this similar use from above post case but cannot get the provided solution to work. Following is my query:
index=_audit action=alert_fired | lookup splunkalerts "Alert Name" as ss_name OUTPUT "CMDB Application Name" AS Application | search Application="Test" | stats count(triggered_alerts) as triggered_alerts by Application ss_name severity | rename ss_name as "Alert Name" severity as "Severity" | appendcols [ | rest /servicesNS/-/-/saved/searches timeout=120 | lookup splunkalerts "Alert Name" AS title OUTPUT "CMDB Application Name" AS Application "Pipeline Alert" "PROD?" | search Application="Test" | rename eai:acl.owner as owner title as "Alert Name" | fields owner "Alert Name" Application,"Pipeline Alert","PROD?",alert.track,disabled,search,action.email.to,cron_schedule] | table Application,"Alert Name",Severity,triggered_alerts,"PROD?","Pipeline Alert",alert.track,disabled,search,action.email.to,cron_schedule
The issue I am having with the above query is that the triggered_alerts count returned from the outer query is not aligned with the search field value returned from the sub search after the appendcols.
... View more