Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help fix the output of appencols and stats list in this search?

mahbs
Path Finder
‎11-30-2017 08:48 AM

Hi,

I'm trying to list data per field. I've used stats list which works partially, it lists all the data for both fields into a single field.

This is what I want:

USER      ERROR    
 -------------------------
 user1     error1
                error2
                error3
 -------------------------
 user2     error4
                error5

However, this is what I'm getting:

USER      ERROR    
 -------------------------
 user     error1    
                error 2   
                error 3
                error 4
                error 5

 -------------------------
 user2

This is my query:

 index=xxx sourcetype=xxx host=n | fieldsummary | fields field,count | regex field="^([A-Z_]+)$" | rename count as Count_V8 | join field [search index=drv sourcetype=xxx host=N|fieldsummary | fields field,count | regex field="^([A-Z_]+)$" | rename count as Count_V14] | eval match=if(Count_V8==Count_V14, "match", "No Match") |  eventstats max(Count_V14) AS maximum_V14| eval internal_diff=if(maximum_V14==Count_V14, "== Max Value", "<Max value") | eval All_Fields=if(internal_diff=="<Max value", field, "safe") | where All_Fields !="safe" | appendcols [search index=drv sourcetype=nl_loca_chain | where isnull(All_Fields) | rename _raw as Raw | stats list(Raw)]

The appendcols subsearch bit is the most relevant bit.

I've tried sticking "by field" after stats list(Raw) but it doesn't work.

Please Help!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-01-2017 07:51 AM

I think you're better off with map command which will, for each All_Fields values, run that subsearch. Something like this

index=xxx sourcetype=xxx host=n | fieldsummary | fields field,count | regex field="^([A-Z_]+)$" | rename count as Count_V8 | join field [search index=drv sourcetype=xxx host=N|fieldsummary | fields field,count | regex field="^([A-Z_]+)$" | rename count as Count_V14] | eval match=if(Count_V8==Count_V14, "match", "No Match") |  eventstats max(Count_V14) AS maximum_V14| eval internal_diff=if(maximum_V14==Count_V14, "== Max Value", "<Max value") | eval All_Fields=if(internal_diff=="<Max value", field, "safe") | where All_Fields !="safe" 
| map search="search index=drv sourcetype=nl_loca_chain | where isnull('$All_Fields$') | rename _raw as Raw | stats list(Raw)  as Raw | eval All_Fields=\"$All_Fields$\""

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎12-01-2017 07:51 AM

I think you're better off with map command which will, for each All_Fields values, run that subsearch. Something like this

index=xxx sourcetype=xxx host=n | fieldsummary | fields field,count | regex field="^([A-Z_]+)$" | rename count as Count_V8 | join field [search index=drv sourcetype=xxx host=N|fieldsummary | fields field,count | regex field="^([A-Z_]+)$" | rename count as Count_V14] | eval match=if(Count_V8==Count_V14, "match", "No Match") |  eventstats max(Count_V14) AS maximum_V14| eval internal_diff=if(maximum_V14==Count_V14, "== Max Value", "<Max value") | eval All_Fields=if(internal_diff=="<Max value", field, "safe") | where All_Fields !="safe" 
| map search="search index=drv sourcetype=nl_loca_chain | where isnull('$All_Fields$') | rename _raw as Raw | stats list(Raw)  as Raw | eval All_Fields=\"$All_Fields$\""
0 Karma
Reply
Solved! Jump to solution

mahbs
Path Finder
‎12-01-2017 08:10 AM

You Sir, are amazing! Thank you sooooooo muchhhh!!!!!! It worked

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-01-2017 08:13 AM

Glad to be of help. Don't forget to mark your question closed by accepting the answer.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎11-30-2017 01:55 PM

I don't see an appendcols subsearch in your code. Please post the entire code and mark it with the code button.

0 Karma
Reply
Solved! Jump to solution

mahbs
Path Finder
‎12-01-2017 12:55 AM

Hi Dal, I've made the adjustments, please have a look

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-30-2017 09:22 AM

Append cols will just appends columns row by row and since your appendcols subsearch have only one row, everything appears in first row. Do you have any common field between those two result sets?

0 Karma
Reply
Solved! Jump to solution

mahbs
Path Finder
‎12-01-2017 12:57 AM

Unfortunately I don't. The subsearch returns events which I want to append to the relevant field. Each field produces events, and I simply want to append those events to those fields. It's nearly there, I'm just missing one piece of the puzzle

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-01-2017 07:11 AM

So how do you decide how many entries from list(Raw) will be added to first row, second row etc...?

0 Karma
Reply
Solved! Jump to solution

mahbs
Path Finder
‎12-01-2017 07:20 AM

Well, I've got a variable called All_Fields, which contains data that filters for raw data relevant to that field. I wanted to use "By Field" to assign the raw data to a field, but that's not working

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-01-2017 07:30 AM

What all fields are available before the appendcols?
And how many rows will be there (max)?

0 Karma
Reply
Solved! Jump to solution

mahbs
Path Finder
‎12-01-2017 07:33 AM

There'll be two rows. There are two fields that's being passed to the subsearch through the variable All_Fields. In

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...