How to add a row into a table, the row depends on ...

ganinurceski · ‎11-28-2019

index="Value of index" tag="Value of Tag" DATA="code for data1" | chart count by parameter1 | rename count as "Count of DATA" | sort - "Count of DATA"

As a result, i want to see a table, which display every parameter1 Value, the count of data1 and count of data2 (which isnt in the string within) but both data values seperate. What can I do?

woodcock · ‎11-28-2019

Like this:

index="index" AND tag="tag" AND (DATA="code for data1" OR DATA="code for data2")
| chart count(eval(DATA="code for data1")) AS data1count count(eval(DATA="code for data2")) AS data2count BY paraeter1
| sort 0 - data1count data2count

gcusello · ‎11-28-2019

Hi @ganinurceski,
in a table you have rows and columns, if I correctly understood, in first row there are values for data 1 and in the second values for data 2 that come from another search.
But columns must be the same in both the searches, otherwise how can you create a table?

if this is your need, you should try something like this

(index="Value of index 1" tag="Value of Tag 1" DATA="code for data 1") OR (index="Value of index 2" tag="Value of Tag 2" DATA="code for data2")
| eval my_search=if(index="Value of index 1","First search","Second search") 
| chart count OVER my_search BY parameter1  
| sort - "my_search"

Ciao.
Giuseppe

How to add a row into a table, the row depends on a search result, which is before the first Pipe (|)?

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023