https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118759#M31758 <P>Here you go :</P> <PRE><CODE>index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | stats count(eval(mailingclass=="smtpvhost1.yp.com" OR mailingclass=="smtpvhost2.yp.com" OR mailingclass=="smtpvhost3.yp.com")) as Consumer count(eval(mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com")) as Advertiser |eval Organisation=mvappend("Consumer","advertiser")|eval Failed=mvappend(Consumer,Advertiser)|table Organisation Failed </CODE></PRE> Sat, 23 May 2015 00:00:16 GMT stephanefotso 2015-05-23T00:00:16Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118753#M31752 <P>Hi - I have been trying to get this search below to result in separate rows depending on the values. I have the information below:</P> <P>My current search</P> <PRE><CODE>index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | chart count(mailingclass) as NumberFailed by mailingclass </CODE></PRE> <P>which results in:</P> <P><STRONG>mailingclass NumberFailed</STRONG><BR /> smtpvhost1.adsolutions.yp.com 136<BR /> smtpvhost1.yp.com 131<BR /> smtpvhost3.yp.com 124<BR /> smtpvhost2.adsolutions.yp.com 28<BR /> smtpvhost3.adsolutions.yp.com 8<BR /> smtpvhost2.yp.com 2</P> <P>I want to get two rows:</P> <P>first row "Consumer" where <BR /> mailingclass="smtpvhost1.yp.com" OR mailingclass="smtpvhost2.yp.com" OR mailingclass="smtpvhost3.yp.com"</P> <P>second row "Advertiser" where<BR /> mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com"</P> <P>Now I want to only have two total rows. an example would be something like this:</P> <P><STRONG>ORGANIZATION Failed</STRONG><BR /> Consumer 172<BR /> Advertiser 257</P> <P>Any help would be great, this is so much easier in SQL, I am having issues all day in SPLUNK. Thanks.</P> Wed, 20 May 2015 22:58:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118753#M31752 rajadatta 2015-05-20T22:58:53Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118754#M31753 <P>Here you go</P> <PRE><CODE>index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | stats count(eval(mailingclass="smtpvhost1.yp.com" OR mailingclass="smtpvhost2.yp.com" OR mailingclass="smtpvhost3.yp.com") as Consumer count(eval(mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com) as Advertiser) </CODE></PRE> Wed, 20 May 2015 23:24:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118754#M31753 stephanefotso 2015-05-20T23:24:27Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118755#M31754 <P>thanks for the answer ran into some issues with some parenthesis, but I got it to work, thanks so much:</P> <P>index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | stats count(eval(mailingclass=="smtpvhost1.yp.com" OR mailingclass=="smtpvhost2.yp.com" OR mailingclass=="smtpvhost3.yp.com"<STRONG>))</STRONG> as Consumer count(eval(mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com"<STRONG>))</STRONG> as Advertiser</P> <P>Is it easy to manipulate this into a chart to see comparisons over time?</P> Thu, 21 May 2015 00:03:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118755#M31754 rajadatta 2015-05-21T00:03:48Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118756#M31755 <P>Yes of course! even with the stats command you can see comparison over time:</P> <P>Try this:</P> <PRE><CODE>index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | stats count(eval(mailingclass=="smtpvhost1.yp.com" OR mailingclass=="smtpvhost2.yp.com" OR mailingclass=="smtpvhost3.yp.com")) as Consumer count(eval(mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com")) as Advertiser by _time </CODE></PRE> <P>or this</P> <PRE><CODE> index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | timechart count(eval(mailingclass=="smtpvhost1.yp.com" OR mailingclass=="smtpvhost2.yp.com" OR mailingclass=="smtpvhost3.yp.com")) as Consumer count(eval(mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com")) as Advertiser </CODE></PRE> <P>or ...</P> Thu, 21 May 2015 00:31:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118756#M31755 stephanefotso 2015-05-21T00:31:40Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118757#M31756 <P>This is great. Thank you.</P> Thu, 21 May 2015 18:19:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118757#M31756 rajadatta 2015-05-21T18:19:06Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118758#M31757 <P>This might be more complicated currently the results are like below:</P> <P>Consumer | Advertiser<BR /> 3232 | 2323</P> <P>From the initial query is there a way to get to just per row and not column. The charts are not doing the correct comparison since it is not comparing to each other.</P> <P>More like:</P> <P>Organization | Failed<BR /> Consumer | 3232<BR /> Advertiser | 2323</P> <P>Thanks appreciate the help, my objective is to do be able to do a comparison in the end.</P> Thu, 21 May 2015 21:48:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118758#M31757 rajadatta 2015-05-21T21:48:30Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118759#M31758 <P>Here you go :</P> <PRE><CODE>index="atti" sourcetype="strongmail" source="/data1/strongmail/log/strongmail-failed.log" | stats count(eval(mailingclass=="smtpvhost1.yp.com" OR mailingclass=="smtpvhost2.yp.com" OR mailingclass=="smtpvhost3.yp.com")) as Consumer count(eval(mailingclass="smtpvhost1.adsolutions.yp.com" OR mailingclass="smtpvhost2.adsolutions.yp.com" OR mailingclass="smtpvhost3.adsolutions.yp.com")) as Advertiser |eval Organisation=mvappend("Consumer","advertiser")|eval Failed=mvappend(Consumer,Advertiser)|table Organisation Failed </CODE></PRE> Sat, 23 May 2015 00:00:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118759#M31758 stephanefotso 2015-05-23T00:00:16Z https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118760#M31759 <P>Thanks this was a huge help.</P> Tue, 26 May 2015 19:03:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-output-results-to-separate-rows-based/m-p/118760#M31759 rajadatta 2015-05-26T19:03:31Z