Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to add a row into a table, the row depends on a search result, which is before the first Pipe (|)?

ganinurceski
Engager
‎11-28-2019 06:23 AM

index="Value of index" tag="Value of Tag" DATA="code for data1" | chart count by parameter1 | rename count as "Count of DATA" | sort - "Count of DATA"

As a result, i want to see a table, which display every parameter1 Value, the count of data1 and count of data2 (which isnt in the string within) but both data values seperate. What can I do?

0 Karma
Reply

woodcock
Esteemed Legend
‎11-28-2019 12:28 PM

Like this:

index="index" AND tag="tag" AND (DATA="code for data1" OR DATA="code for data2")
| chart count(eval(DATA="code for data1")) AS data1count count(eval(DATA="code for data2")) AS data2count BY paraeter1
| sort 0 - data1count data2count
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-28-2019 10:51 AM

Hi @ganinurceski,
in a table you have rows and columns, if I correctly understood, in first row there are values for data 1 and in the second values for data 2 that come from another search.
But columns must be the same in both the searches, otherwise how can you create a table?

if this is your need, you should try something like this

(index="Value of index 1" tag="Value of Tag 1" DATA="code for data 1") OR (index="Value of index 2" tag="Value of Tag 2" DATA="code for data2")
| eval my_search=if(index="Value of index 1","First search","Second search") 
| chart count OVER my_search BY parameter1  
| sort - "my_search"

Ciao.
Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...