Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Alter table column and search based on objecttype

nithys
Communicator
‎11-05-2023 09:17 PM

Hi Team,
I have a table which has counts for these attributes Re-ProcessRequest count,objectType,objectIdsCount,uniqObjectIdsCount,sqsSentCount,dataNotFoundIds 
1.How can i make table column arrange as my needs,currently dataNotFoundIds shows in second coluld ,,,rather i want to display in last column.similary want to do for other columns too?
2.How can i filter based on the objecttype and do the addcolumntotal and gisplay total count?
index="" source IN ""   "support request details" |stats count | rename count as Re-ProcessRequest
| join left [ search
index="" source IN ""  "input params" OR "sqs sent count" OR "Total messages published to SQS successfully" OR "unique objectIds" OR "data not found for Ids"
| rex "\"objectType\":\"(?<objectType>[^\"]+)"
| rex "\"objectIdsCount\":\"(?<objectIdsCount>[^\"]+)"
| rex "\"uniqObjectIdsCount\":\"(?<uniqObjectIdsCount>[^\"]+)"
| rex "\"sqsSentCount\":\"(?<sqsSentCount>[^\"]+)"
| rex "\"dataNotFoundIds\":\"(?<dataNotFoundIds>[^\"]+)"
| rex "\"totalMessagesPublishedToSQS\":\"(?<totalMessagesPublishedToSQS>[^\"]+)"
| table objectType,objectIdsCount,sqsSentCount,totalMessagesPublishedToSQS,uniqObjectIdsCount,dataNotFoundIds | addcoltotals labelfield=total label="Total" | tail 1| stats list(*) as * ]
| join [ search
index=""source IN "" "dataNotFoundIds" | spath output=payload path=dataNotFoundIds{} | spath input=_raw | stats count by payload | addcoltotals labelfield=total label="Total" | tail 1 | fields - payload,total | rename count as datanotfound]

Screenshot 2023-11-05 at 9.12.52 PM.png

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2023 10:58 PM

Hi @nithys,

at the ned of your search you can use the table command to define the order of fields in output, in your case:

<your_search>
| table field1 field2 field3 datanotfoundbynewway

then you are using three very similar searches as subsearches: this isn't very efficient because every subsearch takes a CPU.

In you case you couls use something like this: (please adapt my approach to your requirement):

index=dummyIndex    source IN ("/dummy/Source")("support request details" OR "input params" OR "sqs sent count" OR "Total messages published to SQS successfully" OR "unique objectIds" OR "data not found for Ids" OR "dataNotFoundIds" OR "dataNotFoundIds")
| rex "\"objectType\":\"(?<objectType>[^\"]+)"
| rex "\"objectIdsCount\":\"(?<objectIdsCount>[^\"]+)"
| rex "\"uniqObjectIdsCount\":\"(?<uniqObjectIdsCount>[^\"]+)"
| rex "\"sqsSentCount\":\"(?<sqsSentCount>[^\"]+)"
| rex "\"totalMessagesPublishedToSQS\":\"(?<totalMessagesPublishedToSQS>[^\"]+)" 
| spath output=payload path=dataNotFoundIds{} 
| rename dataNotFoundIds{}AS datanotfoundbynewway
| stats 
   values(objectType) AS objectType
   values(objectIdsCount) AS objectIdsCount
   values(sqsSentCount) AS sqsSentCount
   values(totalMessagesPublishedToSQS) AS totalMessagesPublishedToSQS
   values(uniqObjectIdsCount) AS uniqObjectIdsCount
   count AS Re-ProcessRequest
   values(datanotfoundbynewway) AS datanotfoundbynewway
| addcoltotals labelfield=total label="Total"
| table objectType objectIdsCount sqsSentCount totalMessagesPublishedToSQS uniqObjectIdsCount datanotfoundbynewway

probably this search will not work as is, but see my approach.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2023 10:00 PM

Hi @nithys ,

Let meunderstand: your issue is the fields order at the end of your search?

if this is your issue, use table at the end of your search listing fields in the wanted order.

About the filter, you can add a search command after the objectType extraction.

At least one hint: try to avoid to use join command: Splunk isn't a database and join command is very slow and resource consuming! in Community you can find many sampleas about replace join with stats.

I could be more detailes. if you could share your search using the Insert/Edit Code Sample button (<>) because the search parameters aren't clear.

Ciao.

Giuseppe

 

0 Karma
Reply
Solved! Jump to solution

nithys
Communicator
‎11-05-2023 10:40 PM

Thanks for your reply . 

index=dummyIndex    source IN ("/dummy/Source")"support request details"  |stats count | rename count as Re-ProcessRequest
| appendcols  [ search 
index=dummyIndex    source IN ("/dummy/Source") "input params" OR "sqs sent count" OR "Total messages published to SQS successfully" OR "unique objectIds" OR "data not found for Ids" OR "dataNotFoundIds"
 | rex "\"objectType\":\"(?<objectType>[^\"]+)"
  | rex "\"objectIdsCount\":\"(?<objectIdsCount>[^\"]+)"
   | rex "\"uniqObjectIdsCount\":\"(?<uniqObjectIdsCount>[^\"]+)"
  | rex "\"sqsSentCount\":\"(?<sqsSentCount>[^\"]+)"
    | rex "\"totalMessagesPublishedToSQS\":\"(?<totalMessagesPublishedToSQS>[^\"]+)" 
  | table objectType,objectIdsCount,sqsSentCount,totalMessagesPublishedToSQS,uniqObjectIdsCount   | addcoltotals labelfield=total label="Total" | tail 1| stats list(*) as * ]
  | appendcols  [ search 
  index=dummyIndex    source IN ("/dummy/source") "dataNotFoundIds" | spath output=payload path=dataNotFoundIds{} | spath input=_raw | stats count by payload  | addcoltotals labelfield=total label="Total" | tail 1 | fields - payload,total | rename count as datanotfoundbynewway]


While above is my query ,Let me first ask this: Can you please elaborate more on your statement
"if this is your issue, use table at the end of your search listing fields in the wanted order."

I am looking to modify the above query such a way the column "datanotfoundbynewway" should appear at last.

Actual: It always displayed as a second column
Expected : I wanted that column to appear as the last column . 

# also how can i make use of stats in the above query instead of join 

Thanks again!

Tags (2)
0 Karma
Reply
Solved! Jump to solution

nithys
Communicator
‎11-05-2023 10:42 PM

Screenshot 2023-11-05 at 10.41.14 PM.png

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-05-2023 10:58 PM

Hi @nithys,

at the ned of your search you can use the table command to define the order of fields in output, in your case:

<your_search>
| table field1 field2 field3 datanotfoundbynewway

then you are using three very similar searches as subsearches: this isn't very efficient because every subsearch takes a CPU.

In you case you couls use something like this: (please adapt my approach to your requirement):

index=dummyIndex    source IN ("/dummy/Source")("support request details" OR "input params" OR "sqs sent count" OR "Total messages published to SQS successfully" OR "unique objectIds" OR "data not found for Ids" OR "dataNotFoundIds" OR "dataNotFoundIds")
| rex "\"objectType\":\"(?<objectType>[^\"]+)"
| rex "\"objectIdsCount\":\"(?<objectIdsCount>[^\"]+)"
| rex "\"uniqObjectIdsCount\":\"(?<uniqObjectIdsCount>[^\"]+)"
| rex "\"sqsSentCount\":\"(?<sqsSentCount>[^\"]+)"
| rex "\"totalMessagesPublishedToSQS\":\"(?<totalMessagesPublishedToSQS>[^\"]+)" 
| spath output=payload path=dataNotFoundIds{} 
| rename dataNotFoundIds{}AS datanotfoundbynewway
| stats 
   values(objectType) AS objectType
   values(objectIdsCount) AS objectIdsCount
   values(sqsSentCount) AS sqsSentCount
   values(totalMessagesPublishedToSQS) AS totalMessagesPublishedToSQS
   values(uniqObjectIdsCount) AS uniqObjectIdsCount
   count AS Re-ProcessRequest
   values(datanotfoundbynewway) AS datanotfoundbynewway
| addcoltotals labelfield=total label="Total"
| table objectType objectIdsCount sqsSentCount totalMessagesPublishedToSQS uniqObjectIdsCount datanotfoundbynewway

probably this search will not work as is, but see my approach.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

nithys
Communicator
‎11-06-2023 08:38 PM

thank you

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...