Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you make append not start on a new line?

summitsplunk
Communicator
‎04-13-2018 02:18 PM

LIke if I run this query:

index=myindex | stats count AS Total1 BY host | append [ search index=myindex | stats count AS Total2 BY source]

I want the statistics for Total2 to be on the same line as Total1, or am I just using the wrong command?

I just want to make two search queries of the same index to be able to compare them on the statistics tab.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-13-2018 04:15 PM

It will always do that, but this will give you what you want:

index=myindex 
| stats count AS Total1 BY host 
| append 
 [ search index=myindex 
  | stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source

View solution in original post

Reply
Solved! Jump to solution

summitsplunk
Communicator
‎04-14-2018 10:56 AM

Thanks everyone. All were good ideas but they only let me accept one answer.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-14-2018 11:53 AM

@summitsplunk, since you have already up-voted the remaining answers, you have done your part. Glad you could find the answers useful 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Kirantcs
Path Finder
‎04-14-2018 06:37 AM

Hi instead of append,try join

index=a
|stats count by host
|join type=left/inner host
[search index=b
|stats count by host]

Reply
Solved! Jump to solution

niketn
Legend
‎04-14-2018 02:26 AM

@summitsplunk, depends on what is your use case and what is the required output.

index=_internal log_level=* sourcetype=*
| stats count AS Total1 BY log_level 
| append 
    [ search index=_internal 
    | stats count AS Total2 BY sourcetype] 
| fillnull value="-"  
| stats max(Total1) AS Total1 max(Total2) AS Total2 by log_level, sourcetype

Or 

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level 
| rename log_level as Field
| append 
    [ search index=_internal 
    | stats count AS Total BY sourcetype
    | rename sourcetype as Field]

Or

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| eventstats sum(Total) as Total_log_level by log_level
| eventstats sum(Total) as Total_sourcetype by sourcetype

Or

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| chart last(Total) as Total by log_level sourcetype
| fillnull value=0
| addtotals col=t row=t labelfield=log_level label=Total

See if one of them fits your needs.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎04-13-2018 04:15 PM

It will always do that, but this will give you what you want:

index=myindex 
| stats count AS Total1 BY host 
| append 
 [ search index=myindex 
  | stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source
Reply
Solved! Jump to solution

niketn
Legend
‎04-14-2018 02:28 AM

@elliotproebstel, you should have fillnull to ensure null fields are still accounted in the final stats | fillnull value="-"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎04-14-2018 09:45 AM

Nice correction, thanks!

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...