topic Re: How to search the results produced by the multireport command? in Splunk Search

How to search the results produced by the multireport command?

jlkokko — Tue, 24 May 2016 15:44:12 GMT

I have the following search:

index="main" |rename Proj_repo AS Project | multireport [ stats values(Project) AS Projects BY Author ][ stats values(Author) AS Team BY Project ]

that provides a combined result set for which I need to search each Author against Team to get a combined set of Team values for the author (in other words, everyone the author has worked with).

I've tried various forms of foreach and map, but to no avail. I've additionally tried comma delimiting the Team values since it's a mutlivalue field.

Suggestions on how to search the results of the multireport? Thanks!

Re: How to search the results produced by the multireport command?

somesoni2 — Tue, 24 May 2016 16:04:09 GMT

Give this a try

index=main | stats count by Proj_repo Author |rename Proj_repo AS Project | eventstats values(Author) as Authors by Project | stats values(Authors) as Team by Author

Re: How to search the results produced by the multireport command?

jlkokko — Tue, 24 May 2016 16:09:07 GMT

Exactly what I needed. Can you explain the need for stats count? I'm not sure I understand its use in the equation.

Re: How to search the results produced by the multireport command?

jlkokko — Tue, 24 May 2016 16:21:10 GMT

As the first count is not displayed, I simplified it a bit and added the counts on the end:

index=main | eventstats values(Author) as Authors by Proj_repo | stats values(Authors) as Team by Author | eval People = mvcount(Team)

Re: How to search the results produced by the multireport command?

somesoni2 — Tue, 24 May 2016 17:02:46 GMT

The stats count was to remove the duplicate combination of Project and Author. You can use dedup command as well. I generally prefer to remove unwanted results as soon as possible, to avoid extra processing.

Re: How to search the results produced by the multireport command?

somesoni2 — Tue, 24 May 2016 17:04:39 GMT

Give this a try as well (may be little faster)

index=main | stats values(Proj_repo) as Projects by Author | eventstats values(Author) as Team by Projects | stats values(Team) as Team by Author | eval MemberCount=mvcount(Team)

Re: How to search the results produced by the multireport command?

landen99 — Tue, 31 Dec 2019 20:14:29 GMT

Do you have a link to the documentation on multireport? I don't see it here: https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/WhatsInThisManual

Re: How to search the results produced by the multireport command?

gjanders — Thu, 02 Jan 2020 08:54:01 GMT

multireport is unlikely to be documented unfortunately, they are more likely to create a new search command...