topic Re: Splitting up data into multiple columns in Splunk Search

Splitting up data into multiple columns

eb1929 — Thu, 07 Jan 2021 19:40:58 GMT

Hello i am using the following search

host=XXX sourcetype=ZZZ http_status=500 OR http_status=502 "HighCostAPI"
| stats count by http_status, _time, pzInsKey
| fields http_status _time pzInsKey count
| addcoltotals count

I get the following results

Which is what we wanted originally, now the customer would like to have a count for the 500 errors and the 502 errors separately. I guess it wouldn't be necessary to split the http_status into 2 columns just as long as i can have a count for both.

Re: Splitting up data into multiple columns

scelikok — Thu, 07 Jan 2021 20:29:28 GMT

Hi @eb1929,

You can count http_status codes separately like below;

host=XXX sourcetype=ZZZ http_status=500 OR http_status=502 "HighCostAPI" | eval status_500=if(http_status==500,1,0) | eval status_502=if(http_status==502,1,0) | stats sum(status_500) as status_500 sum(status_502) as status_502 count by http_status, _time, pzInsKey | fields http_status _time pzInsKey status_500 status_502 count | addcoltotals status_500 status_502 count

If this reply helps you an upvote is appreciated.

Re: Splitting up data into multiple columns

bowesmana — Thu, 07 Jan 2021 22:00:12 GMT

@eb1929

You can use the appendpipe command to put 'subtotals' between the different status values like this

which will give you a subtotal row with count as the total for the status. Note that the appendpipe also sets the pzInsKey field to a simple text string to indicate total.

In your dashboard you can then use a technique to highlight that subtotal row. (See dashboard examples Table Row Highlighting) for how to do that.

Re: Splitting up data into multiple columns

eb1929 — Thu, 14 Jan 2021 17:31:51 GMT

That works thank you!!!

Re: Splitting up data into multiple columns

eb1929 — Thu, 14 Jan 2021 17:32:18 GMT

This one worked as well thank you both for this!!!