- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Re: Get total number of columns
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
assigned 2018-02-06 2018-02-08 2018-02-13 2018-02-15
4 0 0 0 0
9 0 0 0 0
10 1 0 0 0
11 1 0 0 0
where the above date values are present in a field called DATES. I have used chart command to get the above table.
I want to create a new column which should give me the total number of date columns.Here, I have 4 dates in my column so the output should look like this
assigned 2018-02-06 2018-02-08 2018-02-13 2018-02-15 total_date_columns
4 0 0 0 0 4
9 0 0 0 0 4
10 1 0 0 0 4
11 1 0 0 0 4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the date columns will always take that format, this should work:
your base search
| eval total_date_columns=0
| foreach 2018*
[ total_date_columns=total_date_columns+1 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vinod94, what is your existing chart command that you have used? It is possible that you can have the total_date_columns value calculated in the chart command itself. Also once you get the total_date_columns, what is the next thing you would want to do?
I would also use foreach command. But, here is a run anywhere search with Splunk's _internal index and transpose, addtotals and filldown commands. This is just to document an alternative approach:
index=_internal sourcetype=splunkd log_level!="INFO"
| eval Dates=strftime(_time,"%Y/%m/%d")
| chart count over Dates by component useother=f usenull=f
| eval total_date_columns=1
| transpose 0 header_field="Dates" column_name="Dates"
| addtotals row=t col=f fieldname="total_date_columns"
| eval total_date_columns=case(Dates=="total_date_columns",total_date_columns)
| reverse
| filldown total_date_columns
| search Dates!="total_date_columns"
| reverse
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming the date columns will always take that format, this should work:
your base search
| eval total_date_columns=0
| foreach 2018*
[ total_date_columns=total_date_columns+1 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, it worked!
What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
