topic Re: How to change the format of the table output? in Splunk Search

How to change the format of the table output?

jgcsco — Wed, 08 Apr 2015 20:28:17 GMT

I have this search:

[search] | stats count by Status Errors | eventstats sum(count) as StatusCount by Status| eventstats sum(count) as TotalCount | search Status = "Failed" | eval percent=100*StatusCount/TotalCount | where percent > 1 | table percent Errors count

Which produces the following result:

percent   Error     count
1.2       error1      A
1.2       error2      B
1.2       error3      C

Since the percent here is the total error percent, I would like the result to show as the following:

percent  1.2
Error    count
error1     A
error2     B
error3     C

Error    count    percent 1.2
error1     A
error2     B
error3     C

Can this be done?

Re: How to change the format of the table output?

chimell — Wed, 08 Apr 2015 21:51:28 GMT

Hi jgcsco
try this search code

     [search] | stats count by Status Errors | eventstats sum(count) as StatusCount by Status| eventstats sum(count) as TotalCount | table  Errors count|appendcols[search Status = "Failed" | eval percent=100*StatusCount/TotalCount | where percent > 1 |dedup percent| table percent]

Re: How to change the format of the table output?

jgcsco — Wed, 08 Apr 2015 21:55:11 GMT

Thanks, I was wondering if there is a way to avoid using "appendcols".

Re: How to change the format of the table output?

dwaddle — Wed, 08 Apr 2015 22:03:08 GMT

This is ugly, and not quite what you're looking for but ...

 $SEARCH | stats count by Status Errors 
| eventstats sum(count) as StatusCount by Status
| eventstats sum(count) as TotalCount | search Status = "Failed" 
| eval percent=100*StatusCount/TotalCount | where percent > 1 
| table percent Errors count
| appendpipe [ | stats max(percent) as count  | eval Errors="percent" ]
| fields - percent

Re: How to change the format of the table output?

jgcsco — Thu, 09 Apr 2015 00:48:58 GMT

Thanks, although a bit ugly, but it is very close to what I am looking for.