Splunk Search

add fields after a stats count

Mike6960
Path Finder

In my search i use a couple of stats counts, the problem is that after these commands I miss other that I want to use. For example _time. I dont need a count for these fields so how can I make sure they are stille available later on in the search?

My search is for example:

index=*
"message.Origin"=blabla
source="something "
| stats count(eval('logger' ="test1")) as "example",
count(eval(logger ="test2)) as "example2" by ID

After the stats I only have the fields, example, example2 and ID

Tags (1)
0 Karma
1 Solution

adonio
Ultra Champion

iparitosh
Path Finder

Try this.

index=* "message.Origin"=blabla source="something " 
| eventstats count(eval('logger' ="test1")) as "example",
count(eval(logger ="test2”)) as "example2" by ID
| stats List(field1) as field1 List(field2) as field2... List(fieldN) as fieldN max(example) max(example2) by ID
0 Karma

Mike6960
Path Finder

the 'table list 'command does not seem to work when I use it as you describe

0 Karma

Mike6960
Path Finder

I tried stats list instead but it does not seem to get the results I want

0 Karma

iparitosh
Path Finder

Can you explain what is the issue and provide your query here?

0 Karma

iparitosh
Path Finder

My bad it should be
... | stats list(field_name)... by ID

Edited my answer.

0 Karma

preactivity
Path Finder

Replace stats with eventstats.

index=*  "message.Origin"=blabla source="something " 
| eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID
| table example1,example2,source,index,ID

Note: Eventstats is not good if you are concerned about the performance.

0 Karma

Mike6960
Path Finder

but if I use eventstats i get all the events back. So also the ones that don't match the conditions in the evals. I only want the event that (for example) where logger= "test1"

0 Karma

preactivity
Path Finder

Try to apply all searches at the first stage so that you will have less data for the computation.

 index=*  "message.Origin"=blabla source="something " 
| search logger="test1" OR logger="test2"
 | eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID
 | table example1,example2,source,index,ID
0 Karma

Mike6960
Path Finder

Thanks, but with the stats command I got one line per ID and the 'loggers' in columns next to it. With eventstats I get per logger one line. what I need is for every single ID just one line with the other fields in columns next to it

0 Karma

preactivity
Path Finder

Just add dedup after the eventstats.
index=* "message.Origin"=blabla source="something "
| search logger="test1" OR logger="test2"
| eventstats count(eval('logger' ="test1")) as "example1", count(eval(logger ="test2)) as "example2" by ID
| dedup ID
| table example1,example2,source,index,ID

0 Karma

adonio
Ultra Champion

use eventstats

richgalloway
SplunkTrust
SplunkTrust

@adonio means replace stats with eventstats and fields won't be dropped.

---
If this reply helps you, Karma would be appreciated.
0 Karma

iparitosh
Path Finder

yes. eventstats keeps all fields available for next command.

0 Karma

Mike6960
Path Finder

but if I use eventstats i get all the events back. So also the ones that don't match the conditions in the evals. I only want the event that (for example) where logger= "test1"

0 Karma

iparitosh
Path Finder

Post event stats you can filter events with | search logger=“test1”

0 Karma

Mike6960
Path Finder

ok, I wonder why I should stats or eventstats at all...... I could just use the search= instead, every tme when I think I understand Splunk I get confused

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...