Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add another column from the same index with stats function?

Neel881
Path Finder
‎03-02-2023 07:17 AM

Hello all,

How to add  another column from the same index with stats function?

| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days
| join type=outer _time [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time]
| rename count as "Total"
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"| fillnull value=0 "Total"

 

I have used join because I need 30 days data even with 0. Please suggest. 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2023 05:03 AM 
index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2023 08:07 AM

You can use append instead of join.

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time ]
| stats max(count) as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

Or you can let timechart fill in the zeros.

index="*appevent" Type="*splunk" 
| timechart span=1d count as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Neel881
Path Finder
‎03-03-2023 04:20 AM

Thank you for your response.

I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?

Expecting output- 

Neel881_0-1677845873580.png

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time ]
| stats max(count) as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2023 05:28 AM

The stats command is a transforming command so it discards any fields it doesn't produce or group by.  Add new fields to stats to get them in the output.

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time, Type ]
| stats max(count) as Total by _time, Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total" Type
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 07:59 AM

Have you tried this: (timechart uses earliest and latest (info_min_time and info_max_time respectively) and should fill in the missing days automatically)

index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total"
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"
Reply
Solved! Jump to solution

Neel881
Path Finder
‎03-03-2023 04:45 AM

Thank you for your response.

I getting I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?

Expecting output- 

Neel881_0-1677847493745.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2023 05:03 AM 
index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total
Reply
Solved! Jump to solution

Neel881
Path Finder
‎03-08-2023 05:15 AM

Hi, 

How to add/join another column from the same search? Phase is the another column in the same index.

index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

Pls suggest

0 Karma
Reply
Solved! Jump to solution

Neel881
Path Finder
‎03-03-2023 05:33 AM

Its working thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...