All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to Convert single row values to multiple rows after appendcols

hqw
Path Finder
‎12-07-2015 08:30 PM

Hi all,

I want to convert a table for further calculation, there are two columns and they came from different part and join by appendcols command. database_count is a standard number in my database, which is directly extracted from database and then saved as a saved report. Now I want to compare the difference in each hour of real working number. After run my search, my result is as displayed, but it only has a standard number in the first row. What I want is to fill all the rows with that number, so later I can calculate the difference by each hour.

Please kindly help. thanks.alt text

What I want:

hour    current_reporting   database_count
00            33                  494
01          25                494
02          19                494
03          15                494

My search:

NOT Reference  |eval hour=strftime(_time,"%H") | stats   values(name) as name_values   by hour  | stats dc(name_values) AS current_reporting by hour |appendcols [|savedsearch monitoring_data|search tags="*"  | stats dc(name) as database_count]
Preview file
38 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-07-2015 08:39 PM

I think you may be able to do

.. | eventstats sum(database_count) as databasecount

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-07-2015 08:39 PM

I think you may be able to do

.. | eventstats sum(database_count) as databasecount

0 Karma
Reply
Solved! Jump to solution

hqw
Path Finder
‎12-07-2015 10:03 PM

Sorry Sundareshr, i misunderstood you, now it is working fine now, thanks a lot.

0 Karma
Reply
Solved! Jump to solution

hqw
Path Finder
‎12-07-2015 09:59 PM

hello Sundareshr,

thanks for your reply, but it is not working

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...