All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append or Join related in Splunk

deepeshk79
Explorer
‎04-13-2015 03:45 PM

Hi - I'm trying to read two different elements within each search record and them show their count so its like

Record 1 - key1, key 2 Record 2 - key1, key 3
Record 3 - key1, key3, key2

The result i'm trying to get is
Key 1 - count of 3
Key 2 - count of 2
key 3 - count of 2

So when i search first i get the raw, look for key 1 and do a stat with count for key 1, then i append a new search query look for key 2 and then do a stat with count for key 2 etc..

The problem is when i append it does not just add the new values as rows but it adds it as columns which is weird, so output is like
key 1 - 3 key2 - 2 key3- 3

I want them vertically one below another and not in this horizontal way...

Pls advise..

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎04-13-2015 04:27 PM

Try ... | stats count(eval(key1="foo")) as key1 count(eval(key2="bar")) as key2

There are a couple other options depending on what "key" is though which seems to be the issue. An over the top way could be 

... | stats count by key1 | append [search .... | stats count by key2]

But that generally isn't needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎04-13-2015 04:27 PM

Try ... | stats count(eval(key1="foo")) as key1 count(eval(key2="bar")) as key2

There are a couple other options depending on what "key" is though which seems to be the issue. An over the top way could be 

... | stats count by key1 | append [search .... | stats count by key2]

But that generally isn't needed.

Reply
Solved! Jump to solution

deepeshk79
Explorer
‎04-14-2015 11:37 AM

As suggested by Runals, to append results of queries one below another use append

... | stats count by key1 | append [search .... | stats count by key2]

Note - appendcols will append as columns

Reply
Solved! Jump to solution

deepeshk79
Explorer
‎04-14-2015 11:35 AM

Thanks Runals , it worked, I was trying appendcols instead of append so it was appending as columns. With append - it's adding all the rows one below another.

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎04-13-2015 04:06 PM

Can you post so more concrete examples? I'm trying to understand why a ... | stats count by key isn't working. Not knowing what "key" is or what sort of field extraction you've setup you could try something like

sourcetype=foo | rex max_match=0 "(?<key>key\d+)" | stats count as events by key | stats count by events

but I'm not sure what that would output relative to your data

Reply
Solved! Jump to solution

deepeshk79
Explorer
‎04-13-2015 04:17 PM

Hi Runals - let me put my ques in a diff way - how can i append two stat results one below another ?
for e.g. stats count(key1) by key1 | stats count(key2) by key2

where key1 = some eval expression
and key2 = some eval expression

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...