https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317653#M5291 <P>Give this a try</P> <PRE><CODE>(index=index1 sourcetype=index1_log) OR (index=index2 sourcetype=index2_log) | rex field=_raw "(?&lt;Message&gt;(exception|message)\s\w+\s\w+)" |stats count as "Hit Count" by Message </CODE></PRE> Tue, 11 Apr 2017 16:25:21 GMT somesoni2 2017-04-11T16:25:21Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317645#M5283 <P>I have the following result from Splunk Query using appCols because same logs always has different events with different message</P> <P>message1 or message2 just a name..</P> <P>Message Count1 Message2 count2 <BR /> hello 5 hi 10</P> <P>Output i am looking is :<BR /> Message count --&lt; Header Fields&gt;<BR /> hello 5<BR /><BR /> hi 10 </P> Mon, 10 Apr 2017 21:30:24 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317645#M5283 jw44250 2017-04-10T21:30:24Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317646#M5284 <P>Instead of appendcols, you should use just append. Also, remember to rename the fields in 2nd search (Message2 and count2) same as first search.</P> <PRE><CODE>search 1 | table Message Count | append [search 2 | table Message2 Count2 | rename Message2 as Message Count2 as Count ] </CODE></PRE> <P>See this to know difference between append and appendcols.<BR /> <A href="https://answers.splunk.com/answers/144351/what-are-the-differences-between-append-appendpipe.html">https://answers.splunk.com/answers/144351/what-are-the-differences-between-append-appendpipe.html</A></P> Mon, 10 Apr 2017 21:33:44 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317646#M5284 somesoni2 2017-04-10T21:33:44Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317647#M5285 <P>it is same index. but i have to extract different fields each time from events.. since the events returns has different message</P> Mon, 10 Apr 2017 21:56:13 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317647#M5285 jw44250 2017-04-10T21:56:13Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317648#M5286 <P>i using transport i didnt work ..</P> Mon, 10 Apr 2017 21:57:39 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317648#M5286 jw44250 2017-04-10T21:57:39Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317649#M5287 <P>Thanks it did work.</P> Mon, 10 Apr 2017 22:03:11 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317649#M5287 jw44250 2017-04-10T22:03:11Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317650#M5288 <P>Glad it's working for you. If it's same index, you probably don't need a subsearch. If you could share you search, we can look at it to see if both searches can be merged into one for better performance.</P> Mon, 10 Apr 2017 22:22:17 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317650#M5288 somesoni2 2017-04-10T22:22:17Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317651#M5289 <P>Here is the Splunk Query..</P> <P>index=index1 sourcetype=index1_log | rex field=_raw "(?exception\s\w+\s\w+)" |stats count by Message| table Message count | append<BR /> [search index=index2 sourcetype=index2_log | rex field=_raw "(?message\s\w+\s\w+)" |stats count as count1 by message| table message count1 |rename message as Message count1 as count] | rename count as "Hit Count"</P> Tue, 29 Sep 2020 13:35:52 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317651#M5289 jw44250 2020-09-29T13:35:52Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317652#M5290 <P>When adding timechart span=3h count usenull=f useother=f into both indexes getting error :- please rename count columns.</P> Tue, 11 Apr 2017 16:21:02 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317652#M5290 jw44250 2017-04-11T16:21:02Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317653#M5291 <P>Give this a try</P> <PRE><CODE>(index=index1 sourcetype=index1_log) OR (index=index2 sourcetype=index2_log) | rex field=_raw "(?&lt;Message&gt;(exception|message)\s\w+\s\w+)" |stats count as "Hit Count" by Message </CODE></PRE> Tue, 11 Apr 2017 16:25:21 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317653#M5291 somesoni2 2017-04-11T16:25:21Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317654#M5292 <P>YOu're getting that in same query? </P> Tue, 11 Apr 2017 16:25:47 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317654#M5292 somesoni2 2017-04-11T16:25:47Z https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317655#M5293 <P>let me tried it..thanks</P> Tue, 11 Apr 2017 16:40:44 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-range-columns-and-rows/m-p/317655#M5293 jw44250 2017-04-11T16:40:44Z