Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add another column from the same index with stats function?

Neel881
Path Finder
‎03-02-2023 07:17 AM

Hello all,

How to add  another column from the same index with stats function?

| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days
| join type=outer _time [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time]
| rename count as "Total"
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"| fillnull value=0 "Total"

 

I have used join because I need 30 days data even with 0. Please suggest. 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2023 05:03 AM 
index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-02-2023 08:07 AM

You can use append instead of join.

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time ]
| stats max(count) as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

Or you can let timechart fill in the zeros.

index="*appevent" Type="*splunk" 
| timechart span=1d count as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Neel881
Path Finder
‎03-03-2023 04:20 AM

Thank you for your response.

I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?

Expecting output- 

Neel881_0-1677845873580.png

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time ]
| stats max(count) as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

 

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2023 05:28 AM

The stats command is a transforming command so it discards any fields it doesn't produce or group by.  Add new fields to stats to get them in the output.

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time, Type ]
| stats max(count) as Total by _time, Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total" Type
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2023 07:59 AM

Have you tried this: (timechart uses earliest and latest (info_min_time and info_max_time respectively) and should fill in the missing days automatically)

index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total"
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"
Reply
Solved! Jump to solution

Neel881
Path Finder
‎03-03-2023 04:45 AM

Thank you for your response.

I getting I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?

Expecting output- 

Neel881_0-1677847493745.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎03-03-2023 05:03 AM 
index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total
Reply
Solved! Jump to solution

Neel881
Path Finder
‎03-08-2023 05:15 AM

Hi, 

How to add/join another column from the same search? Phase is the another column in the same index.

index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

Pls suggest

0 Karma
Reply
Solved! Jump to solution

Neel881
Path Finder
‎03-03-2023 05:33 AM

Its working thank you so much!

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...