Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I use appdncols command in order to aggregate in a table the result of different search?

jip31
Motivator
‎03-18-2022 12:49 AM

hello

I use appdncols command in order to aggregate in a table the result of different search

jip31_2-1647589211599.png

I have 2 issues with the 3 fields In yellow

Issue 1

If dont use the piece of code below, the field "Tea" is not displayed (same thing for INC & OUT)

 

 

 

 | appendpipe 
        [ stats count as _events 
        | where _events = 0 
        | eval "Tea"= 0]]

 

 

 

Issue 2

the appendpipe command put only "0" in the first line but not in other

Here is the search :

 

 

 

| appendcols 
    [ search index=titi earliest=@d+7h latest=@d+19h 
    | bin span=1h _time 
    | eval time = strftime(_time, "%H:%M") 
    | stats dc(Tea) as Tea by time 
    | rename time as Heure 
    | appendpipe 
        [ stats count as _events 
        | where _events = 0 
        | eval Tea= 0] ] 
| appendcols 
    [ search index=tutu earliest=@d+7h latest=@d+19h 
    | bin span=1h _time 
    | eval time = strftime(_time, "%H:%M")  
    | stats dc(s) as "OUT" by time 
    | rename time as Heure 
    | appendpipe 
        [ stats count as _events 
        | where _events = 0 
        | eval "OUT"= 0]]

 

 

 

What is wrong please?

And I have something else strange

As you can, the the results is 0, the results is ususally displayed

But why sometimes I have an empty field instaed 0 like in yellow?

jip31_0-1647591341152.png

Is anybody can give the solution for displaying the results in any case when the value is 0?

 

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 02:49 AM

Try something like this

| fillnull value=0
0 Karma
Reply

jip31
Motivator
‎03-18-2022 03:28 AM

when I execute the search outsite the appendcols

 

index=test earliest=@d+7h latest=@d+19h 
| bin span=1h _time 
| eval time = strftime(_time, "%H:%M") 
| fillnull value=0 
| stats dc(id) as id by time 
| rename time as Heure

 

here is the result

jip31_0-1647598875501.png

as you can see the first result is at 8:00

But when I execute the code in the gloabl search, the first is result is at 7h... (it's the last column on the right)

 
 

jip31_0-1647599289568.png

How is it possible to have 1h gap?

 
 

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 04:00 AM

How is it possible to tell what is wrong if you don't provide the searches you are comparing?

By the way, the fillnull should be added at the end of the search which produced the second graphic.

0 Karma
Reply

jip31
Motivator
‎03-18-2022 04:49 AM

Here is  the xml

https://www.cjoint.com/c/LCslTFsaF1Q

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-19-2022 05:36 AM

This isn't the XML!

0 Karma
Reply

jip31
Motivator
‎03-19-2022 10:16 PM

I checked it and its the xml... what is your problem exactly?

https://www.cjoint.com/c/LCufzkXpwpg

Click on red buttons for download

You can see a piece of code where there is the problem

| appendcols 
    [ search `indexcs` sourcetype=sig earliest=@d+7h latest=@d+19h 
    | bin span=1h _time 
    | eval time = strftime(_time, "%H:%M") 
    | fillnull value=0 
    | stats dc(sig) as  "incidents" by time 
    | rename time as Heure ] 
| appendcols ....

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-19-2022 11:32 PM

fillnull value=0 needs to go at the very end (after the closing bracket of the last appendcols)

0 Karma
Reply

jip31
Motivator
‎03-20-2022 12:32 AM

OK i am going to test

Just thing strange is that 0 is put automaticcally in some résults wihout fillnull =0 but for the exemple I sent you it seems that when result=0 there is nothing returnerd....

0 Karma
Reply

jip31
Motivator
‎03-18-2022 02:59 AM

I have already tried, it does nOthing...

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-18-2022 03:01 AM

Can you share your full search with the fillnull included?

0 Karma
Reply

jip31
Motivator
‎03-18-2022 09:08 PM

Have you an idea concerning this strange behavior?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...