Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine 2 cols in one

MaximeM
Explorer
‎11-07-2012 02:40 AM

Hi there. I'm trying to get the number of some operations (each operation corresponding to a number (field "tag")) that take a certain time to be executed.
Here is my command :

host="yvas7300" sourcetype="accesslog" type_op="result"  etime<"0.010" | stats count(tag) BY tag | fillnull count(tag) | rename count(tag) AS nb_tr0 
| appendcols [search host="yvas7300" sourcetype="accesslog" type_op="result" etime>"0.010" AND etime<"0.100" | stats count(tag) by  tag | rename count(tag) AS nb_tr1, tag AS tag2 | fillnull nb_tr1 | fields tag2 nb_tr1]

And I get as a result something like :

tag     nb_tr0      tag2      nb_tr1

1        10         1         11
2        20         3         22
3        30         5         55
4        40

And I would like to get that :

tag     nb_tr0      nb_tr1

1       10          11
2       20
3       30          22
4       40
5                   55

So it is like combining the two fields tag and tag2. Can someone help me to find a solution ?

P.S. : Sorry for bad grammar, English is not my first language.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MaximeM
Explorer
‎11-07-2012 11:35 PM

I have found a solution. I need to use "append" instead of "appendcols". So with some "stats" operation, I can get the result I need.
Here is my solution :

host="yvas7300" sourcetype="accesslog" type_op="result"  etime<"0.010" | stats count(tag) BY tag | rename count(tag) AS nb_tr0 | fillnull nb_tr0
| append [search host="yvas7300" sourcetype="accesslog" type_op="result" etime>"0.010" AND etime<"0.100" 
    | stats count(tag) by tag | rename count(tag) AS nb_tr1 | fillnull nb_tr1 | fields tag nb_tr1]
| stats sum(nb_tr0) sum(nb_tr1) by tag

(The operation sum is certainly not the most intuitive operation to use, but it actually works.)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MaximeM
Explorer
‎11-07-2012 11:35 PM

I have found a solution. I need to use "append" instead of "appendcols". So with some "stats" operation, I can get the result I need.
Here is my solution :

host="yvas7300" sourcetype="accesslog" type_op="result"  etime<"0.010" | stats count(tag) BY tag | rename count(tag) AS nb_tr0 | fillnull nb_tr0
| append [search host="yvas7300" sourcetype="accesslog" type_op="result" etime>"0.010" AND etime<"0.100" 
    | stats count(tag) by tag | rename count(tag) AS nb_tr1 | fillnull nb_tr1 | fields tag nb_tr1]
| stats sum(nb_tr0) sum(nb_tr1) by tag

(The operation sum is certainly not the most intuitive operation to use, but it actually works.)

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎11-07-2012 06:50 AM

This sounds like good case for join. I about your search but it might look something like this.



host="yvas7300" sourcetype="accesslog" type_op="result"  etime<"0.010" | stats count(tag) as nb_tr0 by tag | fillnull nb_tr0 | fields tag,nb_tr0 | join tag[search host="yvas7300" sourcetype="accesslog" type_op="result" etime>"0.010" AND etime<"0.100" | stats count(tag) as nb_tr1 by tag | fillnull n_tr1 | fields tag,nb_tr1]|table tag,nb_tr0,nb_tr1

Additional reading:

Using join tag on your subsearch tell Splunk to join your two search on the common field of tag. You may need to experiment with this to get the exact results you want.

Hope this helps or gets you started. Don't forget to thumbs up or accept answers that help.

Cheers,

0 Karma
Reply
Solved! Jump to solution

MaximeM
Explorer
‎11-07-2012 11:28 PM

Thanks for your answer. I tried to use "join tag" but it can't work everytime in this case. For example, If you get an operation X in the subsearch that is not present in the search (like the operation 5 in my post), it will not be displayed in the results.

0 Karma
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-07-2012 05:15 AM

Use the Splunk search command called strcat? Would that work for you?

0 Karma
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-07-2012 05:35 AM

Sorry, I misunderstood the question.

0 Karma
Reply
Solved! Jump to solution

MaximeM
Explorer
‎11-07-2012 05:31 AM

Thanks for your answer, but I can't figure how the strcat command can help there. I need to add the "tag2" values in the field "tag1", and not to concatenate them together.

0 Karma
Reply
Get Updates on the Splunk Community!

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...

Insights from .conf 2025, Smart Edge Processor Scaling, and a New Splunk Lantern ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...