Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I pass a single value query output to a field?

twh1
Communicator
‎11-14-2018 09:14 AM

I have a requirement to print the source count from how many hosts we are collecting.

Expected output: source_count/host_count

index=main | eval host_count=[ search index=main sourcetype=log1 | dedup host | stats dc(host) as Host_Count | return $Host_Count | eval source_count=[ search index=main sourcetype=log1 | dedup source | stats dc(source) as Source_Count | return Source_Count] | eval count=source_count + "/" + host_count
0 Karma
Reply

kmaron
Motivator
‎11-14-2018 09:42 AM 
index=main sourcetype=log1 
| stats dc(host) as Host_Count dc(source) as Source_Count 
| eval count=Source_Count + "/" + Host_Count 
| fields count
0 Karma
Reply

twh1
Communicator
‎11-14-2018 09:49 AM

Hi @kmaron
I have two different query to fetch the data. I cann't get both count in same stats.

0 Karma
Reply

kmaron
Motivator
‎11-14-2018 09:53 AM

sorry. they look the same in your example.

Try this instead then 

(first base search)
| stats dc(host) as Host_Count 
| append 
    [ search (second base search)
    | stats dc(source) as Source_Count 
    | fields Source_Count] 
| stats values(Host_Count) as Host_Count values(Source_Count) as Source_Count 
| eval count=Source_Count + "/" + Host_Count 
| fields count
0 Karma
Reply
The Latest From the Splunk Community!