topic Re: Can you make append not start on a new line? in Splunk Search

Can you make append not start on a new line?

summitsplunk — Fri, 13 Apr 2018 21:18:02 GMT

LIke if I run this query:

index=myindex | stats count AS Total1 BY host | append [ search index=myindex | stats count AS Total2 BY source]

I want the statistics for Total2 to be on the same line as Total1, or am I just using the wrong command?

I just want to make two search queries of the same index to be able to compare them on the statistics tab.

Re: Can you make append not start on a new line?

elliotproebstel — Fri, 13 Apr 2018 23:15:21 GMT

It will always do that, but this will give you what you want:

index=myindex 
| stats count AS Total1 BY host 
| append 
 [ search index=myindex 
  | stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source

Re: Can you make append not start on a new line?

niketn — Sat, 14 Apr 2018 09:26:41 GMT

@summitsplunk, depends on what is your use case and what is the required output.

index=_internal log_level=* sourcetype=*
| stats count AS Total1 BY log_level 
| append 
    [ search index=_internal 
    | stats count AS Total2 BY sourcetype] 
| fillnull value="-"  
| stats max(Total1) AS Total1 max(Total2) AS Total2 by log_level, sourcetype

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level 
| rename log_level as Field
| append 
    [ search index=_internal 
    | stats count AS Total BY sourcetype
    | rename sourcetype as Field]

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| eventstats sum(Total) as Total_log_level by log_level
| eventstats sum(Total) as Total_sourcetype by sourcetype

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| chart last(Total) as Total by log_level sourcetype
| fillnull value=0
| addtotals col=t row=t labelfield=log_level label=Total

See if one of them fits your needs.

Re: Can you make append not start on a new line?

niketn — Sat, 14 Apr 2018 09:28:24 GMT

@elliotproebstel, you should have fillnull to ensure null fields are still accounted in the final stats | fillnull value="-"

Re: Can you make append not start on a new line?

Kirantcs — Sat, 14 Apr 2018 13:37:29 GMT

Hi instead of append,try join

index=a
|stats count by host
|join type=left/inner host
[search index=b
|stats count by host]

Re: Can you make append not start on a new line?

elliotproebstel — Sat, 14 Apr 2018 16:45:30 GMT

Nice correction, thanks!

Re: Can you make append not start on a new line?

summitsplunk — Sat, 14 Apr 2018 17:56:13 GMT

Thanks everyone. All were good ideas but they only let me accept one answer.

Re: Can you make append not start on a new line?

niketn — Sat, 14 Apr 2018 18:53:54 GMT

@summitsplunk, since you have already up-voted the remaining answers, you have done your part. Glad you could find the answers useful 🙂