https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614706#M213635 <P>I want to create a Bar chart with the logs where the key would be the stats count field name and value would be the sum value</P> <P>Query :&nbsp;</P> <P>search1 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field1| join instance [search2 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field2| join instance [search3 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field3|join instance [search4&nbsp; | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field4]]] | stats sum( field1), sum(field2), sum( field3), sum( field4)</P> <P>Current result:</P> <TABLE border="0" width="256" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="19">field1</TD> <TD width="64">field2</TD> <TD width="64">field3</TD> <TD width="64">field4</TD> </TR> <TR> <TD height="19">30</TD> <TD>44</TD> <TD>122</TD> <TD>6</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Expected result:</P> <TABLE border="0" width="128" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="19">Field</TD> <TD width="64">Count</TD> </TR> <TR> <TD height="19">field1</TD> <TD>30</TD> </TR> <TR> <TD height="19">field2</TD> <TD>44</TD> </TR> <TR> <TD height="19">field3</TD> <TD>122</TD> </TR> <TR> <TD height="19">field4</TD> <TD>6</TD> </TR> </TBODY> </TABLE> <P><BR /><BR /></P> Tue, 27 Sep 2022 14:14:53 GMT ninja_panda 2022-09-27T14:14:53Z https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614706#M213635 <P>I want to create a Bar chart with the logs where the key would be the stats count field name and value would be the sum value</P> <P>Query :&nbsp;</P> <P>search1 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field1| join instance [search2 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field2| join instance [search3 | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field3|join instance [search4&nbsp; | eval has_error = if(match(_raw, "WARNING"),1,0)| stats sum(has_error) as field4]]] | stats sum( field1), sum(field2), sum( field3), sum( field4)</P> <P>Current result:</P> <TABLE border="0" width="256" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="19">field1</TD> <TD width="64">field2</TD> <TD width="64">field3</TD> <TD width="64">field4</TD> </TR> <TR> <TD height="19">30</TD> <TD>44</TD> <TD>122</TD> <TD>6</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Expected result:</P> <TABLE border="0" width="128" cellspacing="0" cellpadding="0"> <TBODY> <TR> <TD width="64" height="19">Field</TD> <TD width="64">Count</TD> </TR> <TR> <TD height="19">field1</TD> <TD>30</TD> </TR> <TR> <TD height="19">field2</TD> <TD>44</TD> </TR> <TR> <TD height="19">field3</TD> <TD>122</TD> </TR> <TR> <TD height="19">field4</TD> <TD>6</TD> </TR> </TBODY> </TABLE> <P><BR /><BR /></P> Tue, 27 Sep 2022 14:14:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614706#M213635 ninja_panda 2022-09-27T14:14:53Z https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614709#M213637 <P>If I understand your search correctly, you want to search for the amount of errors over 4 different sources and show them in a bar chart.</P><P>If you already have a key that identifies the source in the separate searches and the "search1-4" is just index and source type etc then try:&nbsp;</P><P>Lets say each "search" comes from a seperate index.&nbsp;</P><P><STRONG>(search1 OR search2 OR search3 OR search4)</STRONG><BR /><STRONG>| eval has_error = if(match(_raw, "WARNING"),1,0)</STRONG><BR /><STRONG>| where has_error=1</STRONG><BR /><STRONG>| stats count by index</STRONG></P><P>Then you have the amount of errors from each key.</P><P>&nbsp;</P><P>If it is a more komplex base search try this:</P><P><STRONG>search 1</STRONG><BR /><STRONG>| eval key = "search1"</STRONG><BR /><STRONG>| append [ search search2 | eval key = "search2"]</STRONG><BR /><STRONG>| append [ search search3 | eval key = "search3"]</STRONG><BR /><STRONG>| append [ search search3 | eval key = "search3"]</STRONG><BR /><STRONG>| eval has_error = if(match(_raw, "WARNING"),1,0)</STRONG><BR /><STRONG>| where has_error=1</STRONG><BR /><STRONG>| stats count by key</STRONG></P><P>_______________________________________</P><P>If this was helpful please consider awarding Karma. Thx!</P> Tue, 27 Sep 2022 09:18:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614709#M213637 FelixLeh 2022-09-27T09:18:17Z https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614715#M213640 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/249835">@ninja_panda</a>,</P><P>using a search like the one you shared, you can launch your search and then go to walk for 30-60 minutes!</P><P>Splunk isn't a database, you have to avoid join command and use it only if you haven't any other solution and always with few data.</P><P>You can use stats and eval to hasve the same result in a quicker way,</P><P>the main problem is to identify a filter for each search, if e.g. in each search you have a different index, or another field it's the same thing, you can try something like this:</P><LI-CODE lang="markup">index IN (index1, index2, index3, index4) "WARNING" | stats count BY index | eval field=case(index=index1,"field1",index=index2,"field2",index=index3,"field3",index=index4,"field4") | table field count</LI-CODE><P>If you have to use a different condition to identify the four searches, you can use something like this:</P><LI-CODE lang="markup">index IN (index1, index2, index3, index4) "WARNING" | stats count(eval(condition1)) AS field 1 count(eval(condition2)) AS field 2 count(eval(condition3)) AS field 3 count(eval(condition4)) AS field 4 | transpose</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Tue, 27 Sep 2022 09:30:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614715#M213640 gcusello 2022-09-27T09:30:17Z https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614719#M213643 <P>The second solution worked as a charm. thank you&nbsp;</P> Tue, 27 Sep 2022 09:48:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614719#M213643 ninja_panda 2022-09-27T09:48:19Z https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614722#M213645 <P>Glad to hear that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 27 Sep 2022 09:57:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-frame-a-table-from-stats-data/m-p/614722#M213645 FelixLeh 2022-09-27T09:57:34Z