topic Re: How to use the Format search command in Splunk Search

How to use the Format search command

lpolo — Fri, 15 Jul 2011 12:08:44 GMT

How to use the "Format" search commands using the optinal arguments....

The documentation does not show how to use the optional arguments for this command.

searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| format

Result set:
( ( Query="3818" ) OR ( Number="9184" ) )

I would like to format this result set as follow:

query Number
3818 9184

Re: How to use the Format search command

mw — Fri, 15 Jul 2011 20:27:04 GMT

It actually does explain the arguments, which are 6 separate strings:

Optional arguments

<string>
  Syntax: "<string>"
  Description: These six optional string arguments correspond to: ["<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"]. By default, when you don't specify any strings, the format output defaults to: "(" "(" "AND" ")" "OR" ")"

The format command is really used in the creation of a search, which is why it will join all rows and columns to create a valid search string. Is that what you're doing here, or are you just looking to get a string to output on a dashboard? If it's the latter, something like this would probably work better. I don't see any reason to use that append subsearch either:

searchsourcetype="tvs-a9-request" 
  | stats dc(TextQuery) as Query count(MAC) as Number 
  | strcat "Query Number " Query " " Number my_new_string

Re: How to use the Format search command

lpolo — Mon, 18 Jul 2011 13:59:34 GMT

Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think I was not clear in my previous post. I have two similar queries:

query 1:
sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1

query 2:
sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2

how can I get in one query both results set preseted in a table without using append or appendcols commands: example

Query 1 Query 2
125 254

thanks,
Lp

Re: How to use the Format search command

lpolo — Mon, 18 Jul 2011 14:03:22 GMT

Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think, I was not clear in my previous post. I have two similar queries:

query 1: sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1

query 2: sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2

How can I get in one query both results sets preseted in a table without using append or appendcols commands: example

Query 1 Query 2
125 254

thanks,
Lp

Re: How to use the Format search command

splunker12er — Tue, 20 May 2014 22:55:27 GMT

Try like this :

index=* | stats values(sourcetype) as sourcetype by host | join [search index=* | stats values(source) as source by host]

Re: How to use the Format search command

Lamar — Tue, 20 May 2014 23:14:15 GMT

Use transpose to do that.

searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| transpose