Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I average a dynamic column created using e...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to display some data that has columns based on dynamic data from the search results.
e.g. Assuming I have a query to calculate which two servers have the most users logging into them. I can write a query to give me the data in the form of:
Date | ServerWithMostLogins | ServerWithSecondToMostLogins
However, rather than calling the columns ServerWithMostLogins, I'd rename the column to the server's name.
I know I can use something like | eval {ServerName} but then I don't think I would be able to run stats over that column.
Is this possible?
Edit, for example, say I have this data in my search result:
Date=Today UserName=user1 ServerLoggedInto=Server23
Date=Today UserName=user45 ServerLoggedInto=Server33
Date=Today UserName=user11 ServerLoggedInto=Server23
Date=Today UserName=user11 ServerLoggedInto=Server23
etc
What I would like is to display which 2 servers have the most logins:
| Date | Server23 | Server 33 |
+---------+----------+-----------+
| Today | 3 | 1 |
I get most of this, the thing currently stumping me is how to get the ServerName as the column name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | chart count over host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval dummy="dummy" | chart first(count) AS count over dummy by host | fields - dummy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | chart count over host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval dummy="dummy" | chart first(count) AS count over dummy by host | fields - dummy
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the suggestion. Your answer led me in the right direction.
The main important thing was learning that stats and chart may look identical, but they are very different.
I also used information from this answer as well: https://answers.splunk.com/answers/506/split-by-by-clause-of-chart-only-takes-2-dimensions-we-want-3...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Given your clarification, this would be better (you must run timepicker on some subsection of Today😞
... | stats count BY host | addtotals col=t row=f | fillnull value="TOTAL" | sort 3 - count | eval Date="Today" | chart first(count) AS count over Date BY host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I'll try this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you expand on what the table you have looks like and what the table you want looks like ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Added more information.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
