Splunk Enterprise

How to add another column from the same index with stats function?

Neel881
Path Finder

Hello all,

How to add  another column from the same index with stats function?

| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days
| join type=outer _time [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time]
| rename count as "Total"
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"| fillnull value=0 "Total"

 

I have used join because I need 30 days data even with 0. Please suggest. 

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You can use append instead of join.

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time ]
| stats max(count) as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

Or you can let timechart fill in the zeros.

index="*appevent" Type="*splunk" 
| timechart span=1d count as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"
---
If this reply helps you, Karma would be appreciated.
0 Karma

Neel881
Path Finder

Thank you for your response.

I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?

Expecting output- 

Neel881_0-1677845873580.png

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time ]
| stats max(count) as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command is a transforming command so it discards any fields it doesn't produce or group by.  Add new fields to stats to get them in the output.

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time, Type ]
| stats max(count) as Total by _time, Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total" Type
---
If this reply helps you, Karma would be appreciated.

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried this: (timechart uses earliest and latest (info_min_time and info_max_time respectively) and should fill in the missing days automatically)

index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total"
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

Neel881
Path Finder

Thank you for your response.

I getting I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?

Expecting output- 

Neel881_0-1677847493745.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

Neel881
Path Finder

Hi, 

How to add/join another column from the same search? Phase is the another column in the same index.

index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

Pls suggest

0 Karma

Neel881
Path Finder

Its working thank you so much!

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...