Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I pass a single value query output to a field?

twh1
Communicator
‎11-14-2018 09:14 AM

I have a requirement to print the source count from how many hosts we are collecting.

Expected output: source_count/host_count

index=main | eval host_count=[ search index=main sourcetype=log1 | dedup host | stats dc(host) as Host_Count | return $Host_Count | eval source_count=[ search index=main sourcetype=log1 | dedup source | stats dc(source) as Source_Count | return Source_Count] | eval count=source_count + "/" + host_count
0 Karma
Reply

kmaron
Motivator
‎11-14-2018 09:42 AM 
index=main sourcetype=log1 
| stats dc(host) as Host_Count dc(source) as Source_Count 
| eval count=Source_Count + "/" + Host_Count 
| fields count
0 Karma
Reply

twh1
Communicator
‎11-14-2018 09:49 AM

Hi @kmaron
I have two different query to fetch the data. I cann't get both count in same stats.

0 Karma
Reply

kmaron
Motivator
‎11-14-2018 09:53 AM

sorry. they look the same in your example.

Try this instead then 

(first base search)
| stats dc(host) as Host_Count 
| append 
    [ search (second base search)
    | stats dc(source) as Source_Count 
    | fields Source_Count] 
| stats values(Host_Count) as Host_Count values(Source_Count) as Source_Count 
| eval count=Source_Count + "/" + Host_Count 
| fields count
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...