All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append or Join related in Splunk

deepeshk79
Explorer
‎04-13-2015 03:45 PM

Hi - I'm trying to read two different elements within each search record and them show their count so its like

Record 1 - key1, key 2 Record 2 - key1, key 3
Record 3 - key1, key3, key2

The result i'm trying to get is
Key 1 - count of 3
Key 2 - count of 2
key 3 - count of 2

So when i search first i get the raw, look for key 1 and do a stat with count for key 1, then i append a new search query look for key 2 and then do a stat with count for key 2 etc..

The problem is when i append it does not just add the new values as rows but it adds it as columns which is weird, so output is like
key 1 - 3 key2 - 2 key3- 3

I want them vertically one below another and not in this horizontal way...

Pls advise..

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Runals
Motivator
‎04-13-2015 04:27 PM

Try ... | stats count(eval(key1="foo")) as key1 count(eval(key2="bar")) as key2

There are a couple other options depending on what "key" is though which seems to be the issue. An over the top way could be 

... | stats count by key1 | append [search .... | stats count by key2]

But that generally isn't needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

Runals
Motivator
‎04-13-2015 04:27 PM

Try ... | stats count(eval(key1="foo")) as key1 count(eval(key2="bar")) as key2

There are a couple other options depending on what "key" is though which seems to be the issue. An over the top way could be 

... | stats count by key1 | append [search .... | stats count by key2]

But that generally isn't needed.

Reply
Solved! Jump to solution

deepeshk79
Explorer
‎04-14-2015 11:37 AM

As suggested by Runals, to append results of queries one below another use append

... | stats count by key1 | append [search .... | stats count by key2]

Note - appendcols will append as columns

Reply
Solved! Jump to solution

deepeshk79
Explorer
‎04-14-2015 11:35 AM

Thanks Runals , it worked, I was trying appendcols instead of append so it was appending as columns. With append - it's adding all the rows one below another.

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎04-13-2015 04:06 PM

Can you post so more concrete examples? I'm trying to understand why a ... | stats count by key isn't working. Not knowing what "key" is or what sort of field extraction you've setup you could try something like

sourcetype=foo | rex max_match=0 "(?<key>key\d+)" | stats count as events by key | stats count by events

but I'm not sure what that would output relative to your data

Reply
Solved! Jump to solution

deepeshk79
Explorer
‎04-13-2015 04:17 PM

Hi Runals - let me put my ques in a diff way - how can i append two stat results one below another ?
for e.g. stats count(key1) by key1 | stats count(key2) by key2

where key1 = some eval expression
and key2 = some eval expression

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...