Splunk Dev

Get total number of columns

vinod94
Contributor
  assigned 2018-02-06   2018-02-08  2018-02-13  2018-02-15  
     4            0          0              0          0
     9            0          0              0          0
    10            1          0              0          0
    11            1          0              0          0

where the above date values are present in a field called DATES. I have used chart command to get the above table.
I want to create a new column which should give me the total number of date columns.Here, I have 4 dates in my column so the output should look like this

    assigned 2018-02-06   2018-02-08    2018-02-13  2018-02-15  total_date_columns
     4            0          0              0          0               4
     9            0          0              0          0               4
    10            1          0              0          0               4
    11            1          0              0          0               4
Tags (1)
0 Karma
1 Solution

elliotproebstel
Champion

Assuming the date columns will always take that format, this should work:

your base search
| eval total_date_columns=0
| foreach 2018* 
 [ total_date_columns=total_date_columns+1 ]

View solution in original post

niketn
Legend

@vinod94, what is your existing chart command that you have used? It is possible that you can have the total_date_columns value calculated in the chart command itself. Also once you get the total_date_columns, what is the next thing you would want to do?

I would also use foreach command. But, here is a run anywhere search with Splunk's _internal index and transpose, addtotals and filldown commands. This is just to document an alternative approach:

index=_internal sourcetype=splunkd log_level!="INFO"
| eval Dates=strftime(_time,"%Y/%m/%d")
| chart count over Dates by component useother=f usenull=f
| eval total_date_columns=1
| transpose 0 header_field="Dates" column_name="Dates"
| addtotals row=t col=f fieldname="total_date_columns"
| eval total_date_columns=case(Dates=="total_date_columns",total_date_columns)
| reverse
| filldown total_date_columns
| search Dates!="total_date_columns"
| reverse
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel
Champion

Assuming the date columns will always take that format, this should work:

your base search
| eval total_date_columns=0
| foreach 2018* 
 [ total_date_columns=total_date_columns+1 ]

vinod94
Contributor

Thanks, it worked!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...