https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-faceted-multi-filter-search-with-counting-over/m-p/237393#M70555 <P>I'm writing a generic search layer that allows our users to have drilldown, faceted search experience. This means that for a given set of search results, I want to see the distribution of existing values for a set of given fields, with a count of matches. This will allow the user to select one of those values and run a second search, narrowing down the results.</P> <P>It seems easy enough to do it for one result field, using <CODE>stats count</CODE> or <CODE>chart count</CODE>. The problem is that <CODE>count</CODE>ing over multiple fields results in a narrow AND count, rather than a separate count for each different field. </P> <P>I've tried implementing this with subsearches - <CODE>search host="test" | chart count by field1 | append [search host="test" | chart count by field2]</CODE> but this requires me to pass the search filters ( ( <CODE>host="test"</CODE>) for every internal subsearch, in essence running the search <STRONG>n</STRONG> times instead of just getting stats on a single set of search results. It might be more efficient than running <STRONG>n</STRONG> searches from my code, but it still seems wasteful.</P> <P>So, is there a way to achieve this without running multiple searches? It would be even better if I can get the search <EM>results</EM> alongside the search <EM>stats</EM> in a single hit.</P> Tue, 17 Nov 2015 06:45:16 GMT lisardggy 2015-11-17T06:45:16Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-faceted-multi-filter-search-with-counting-over/m-p/237393#M70555 <P>I'm writing a generic search layer that allows our users to have drilldown, faceted search experience. This means that for a given set of search results, I want to see the distribution of existing values for a set of given fields, with a count of matches. This will allow the user to select one of those values and run a second search, narrowing down the results.</P> <P>It seems easy enough to do it for one result field, using <CODE>stats count</CODE> or <CODE>chart count</CODE>. The problem is that <CODE>count</CODE>ing over multiple fields results in a narrow AND count, rather than a separate count for each different field. </P> <P>I've tried implementing this with subsearches - <CODE>search host="test" | chart count by field1 | append [search host="test" | chart count by field2]</CODE> but this requires me to pass the search filters ( ( <CODE>host="test"</CODE>) for every internal subsearch, in essence running the search <STRONG>n</STRONG> times instead of just getting stats on a single set of search results. It might be more efficient than running <STRONG>n</STRONG> searches from my code, but it still seems wasteful.</P> <P>So, is there a way to achieve this without running multiple searches? It would be even better if I can get the search <EM>results</EM> alongside the search <EM>stats</EM> in a single hit.</P> Tue, 17 Nov 2015 06:45:16 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-faceted-multi-filter-search-with-counting-over/m-p/237393#M70555 lisardggy 2015-11-17T06:45:16Z https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-faceted-multi-filter-search-with-counting-over/m-p/237394#M70556 <P>Would this help?<BR /> <A href="https://answers.splunk.com/answers/290287/is-it-possible-to-do-faceted-search-with-splunk-si.html">https://answers.splunk.com/answers/290287/is-it-possible-to-do-faceted-search-with-splunk-si.html</A></P> Thu, 10 Dec 2015 18:22:38 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-create-a-faceted-multi-filter-search-with-counting-over/m-p/237394#M70556 bemantunes 2015-12-10T18:22:38Z