Splunk Enterprise

How to add another column from the same index with stats function?

Neel881
Path Finder

Hello all,

How to add  another column from the same index with stats function?

| makeresults count=1 | addinfo | eval days=mvrange(info_min_time, info_max_time, "1d") | mvexpand days | eval _time=days
| join type=outer _time [ search index="*appevent" Type="*splunk" | bucket _time span=day | stats count by _time]
| rename count as "Total"
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"| fillnull value=0 "Total"

 

I have used join because I need 30 days data even with 0. Please suggest. 

0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You can use append instead of join.

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time ]
| stats max(count) as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

Or you can let timechart fill in the zeros.

index="*appevent" Type="*splunk" 
| timechart span=1d count as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"
---
If this reply helps you, Karma would be appreciated.
0 Karma

Neel881
Path Finder

Thank you for your response.

I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?

Expecting output- 

Neel881_0-1677845873580.png

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time ]
| stats max(count) as Total by _time
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command is a transforming command so it discards any fields it doesn't produce or group by.  Add new fields to stats to get them in the output.

| makeresults count=1 
| addinfo 
| eval days=mvrange(info_min_time, info_max_time, "1d") 
| mvexpand days 
| eval _time=days, count=0
| append [ search index="*appevent" Type="*splunk" 
  | bucket _time span=day
  | stats count by _time, Type ]
| stats max(count) as Total by _time, Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total" Type
---
If this reply helps you, Karma would be appreciated.

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried this: (timechart uses earliest and latest (info_min_time and info_max_time respectively) and should fill in the missing days automatically)

index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total"
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| table "New_Date" "Total"

Neel881
Path Finder

Thank you for your response.

I getting I need to add another column from the same index ('index="*appevent" Type="*splunk" ). Column name is 'Type'. My question is how to add column 'Type' with the existing query?

Expecting output- 

Neel881_0-1677847493745.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

Neel881
Path Finder

Hi, 

How to add/join another column from the same search? Phase is the another column in the same index.

index="*appevent" Type="*splunk" 
| timechart span=1d count as "Total" by Type
| eval "New_Date"=strftime(_time,"%Y-%m-%d")
| untable New_Date Type Total

Pls suggest

0 Karma

Neel881
Path Finder

Its working thank you so much!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...