https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633025#M15562 <P>Hello all,</P><P>How to add&nbsp; another column from the same index with stats function?</P><P>| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days<BR />| join type=outer _time [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time]<BR />| rename count as "Total"<BR />| eval "New_Date"=strftime(_time,"%Y-%m-%d")<BR />| table "New_Date" "Total"| fillnull value=0 "Total"</P><P>&nbsp;</P><P>I have used join because I need 30 days data even with 0. Please suggest.&nbsp;</P> Thu, 02 Mar 2023 15:27:10 GMT Neel881 2023-03-02T15:27:10Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633025#M15562 <P>Hello all,</P><P>How to add&nbsp; another column from the same index with stats function?</P><P>| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days<BR />| join type=outer _time [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time]<BR />| rename count as "Total"<BR />| eval "New_Date"=strftime(_time,"%Y-%m-%d")<BR />| table "New_Date" "Total"| fillnull value=0 "Total"</P><P>&nbsp;</P><P>I have used join because I need 30 days data even with 0. Please suggest.&nbsp;</P> Thu, 02 Mar 2023 15:27:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633025#M15562 Neel881 2023-03-02T15:27:10Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633031#M15564 <P>Have you tried this: (timechart uses earliest and latest (info_min_time and info_max_time respectively) and should fill in the missing days automatically)</P><LI-CODE lang="markup">index="*appevent" Type="*splunk" | timechart span=1d count as "Total" | eval "New_Date"=strftime(_time,"%Y-%m-%d") | table "New_Date" "Total"</LI-CODE> Thu, 02 Mar 2023 15:59:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633031#M15564 ITWhisperer 2023-03-02T15:59:48Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633033#M15565 <P>You can use append instead of join.</P><LI-CODE lang="markup">| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days, count=0 | append [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time ] | stats max(count) as Total by _time | eval "New_Date"=strftime(_time,"%Y-%m-%d") | table "New_Date" "Total"</LI-CODE><P>Or you can let timechart fill in the zeros.</P><LI-CODE lang="markup">index="*appevent" Type="*splunk" | timechart span=1d count as Total by _time | eval "New_Date"=strftime(_time,"%Y-%m-%d") | table "New_Date" "Total"</LI-CODE> Thu, 02 Mar 2023 16:07:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633033#M15565 richgalloway 2023-03-02T16:07:51Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633149#M15570 <P>Thank you for your response.</P><P>I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?</P><P>Expecting output-&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Neel881_0-1677845873580.png" style="width: 990px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24176i11F5AE83EA324074/image-dimensions/990x120?v=v2" width="990" height="120" role="button" title="Neel881_0-1677845873580.png" alt="Neel881_0-1677845873580.png" /></span></P><LI-CODE lang="markup">| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days, count=0 | append [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time ] | stats max(count) as Total by _time | eval "New_Date"=strftime(_time,"%Y-%m-%d") | table "New_Date" "Total"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Fri, 03 Mar 2023 12:20:41 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633149#M15570 Neel881 2023-03-03T12:20:41Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633152#M15571 <P>Thank you for your response.</P><P>I getting I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?</P><P>Expecting output-&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Neel881_0-1677847493745.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/24177i4B9282F22A5B8F27/image-size/medium?v=v2&amp;px=400" role="button" title="Neel881_0-1677847493745.png" alt="Neel881_0-1677847493745.png" /></span></P><P>&nbsp;</P> Fri, 03 Mar 2023 12:45:01 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633152#M15571 Neel881 2023-03-03T12:45:01Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633154#M15572 <LI-CODE lang="markup">index="*appevent" Type="*splunk" | timechart span=1d count as "Total" by Type | eval "New_Date"=strftime(_time,"%Y-%m-%d") | untable New_Date Type Total</LI-CODE> Fri, 03 Mar 2023 13:03:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633154#M15572 ITWhisperer 2023-03-03T13:03:44Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633164#M15574 <P>The stats command is a transforming command so it discards any fields it doesn't produce or group by.&nbsp; Add new fields to stats to get them in the output.</P><LI-CODE lang="markup">| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days, count=0 | append [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time, Type ] | stats max(count) as Total by _time, Type | eval "New_Date"=strftime(_time,"%Y-%m-%d") | table "New_Date" "Total" Type</LI-CODE> Fri, 03 Mar 2023 13:28:54 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633164#M15574 richgalloway 2023-03-03T13:28:54Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633165#M15575 <P>Its working thank you so much!</P> Fri, 03 Mar 2023 13:33:26 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633165#M15575 Neel881 2023-03-03T13:33:26Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633721#M15632 <P>Hi,&nbsp;</P><P>How to add/join another column from the same search? Phase is the another column in the same index.</P><PRE>index="*appevent" Type="*splunk" | timechart span=1d count as "Total" by Type | eval "New_Date"=strftime(_time,"%Y-%m-%d") | untable New_Date Type Total</PRE><P>Pls suggest</P> Wed, 08 Mar 2023 13:15:14 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-add-another-column-from-the-same-index-with-stats/m-p/633721#M15632 Neel881 2023-03-08T13:15:14Z