Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you make append not start on a new line?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
summitsplunk
Communicator
04-13-2018
02:18 PM
LIke if I run this query:
index=myindex | stats count AS Total1 BY host | append [ search index=myindex | stats count AS Total2 BY source]
I want the statistics for Total2 to be on the same line as Total1, or am I just using the wrong command?
I just want to make two search queries of the same index to be able to compare them on the statistics tab.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
elliotproebstel
Champion
04-13-2018
04:15 PM
It will always do that, but this will give you what you want:
index=myindex
| stats count AS Total1 BY host
| append
[ search index=myindex
| stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
summitsplunk
Communicator
04-14-2018
10:56 AM
Thanks everyone. All were good ideas but they only let me accept one answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-14-2018
11:53 AM
@summitsplunk, since you have already up-voted the remaining answers, you have done your part. Glad you could find the answers useful 🙂
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Kirantcs
Path Finder
04-14-2018
06:37 AM
Hi instead of append,try join
index=a
|stats count by host
|join type=left/inner host
[search index=b
|stats count by host]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-14-2018
02:26 AM
@summitsplunk, depends on what is your use case and what is the required output.
index=_internal log_level=* sourcetype=*
| stats count AS Total1 BY log_level
| append
[ search index=_internal
| stats count AS Total2 BY sourcetype]
| fillnull value="-"
| stats max(Total1) AS Total1 max(Total2) AS Total2 by log_level, sourcetype
Or
index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level
| rename log_level as Field
| append
[ search index=_internal
| stats count AS Total BY sourcetype
| rename sourcetype as Field]
Or
index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| eventstats sum(Total) as Total_log_level by log_level
| eventstats sum(Total) as Total_sourcetype by sourcetype
Or
index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| chart last(Total) as Total by log_level sourcetype
| fillnull value=0
| addtotals col=t row=t labelfield=log_level label=Total
See if one of them fits your needs.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
elliotproebstel
Champion
04-13-2018
04:15 PM
It will always do that, but this will give you what you want:
index=myindex
| stats count AS Total1 BY host
| append
[ search index=myindex
| stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-14-2018
02:28 AM
@elliotproebstel, you should have fillnull to ensure null fields are still accounted in the final stats | fillnull value="-"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
elliotproebstel
Champion
04-14-2018
09:45 AM
Nice correction, thanks!
Get Updates on the Splunk Community!
Splunk Mobile: Your Brand-New Home Screen
Meet Your New Mobile Hub
Hello Splunk Community!
Staying connected to your data—no matter where you are—is ...
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...
