Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine multiple panels into one table?

JoshuaJohn
Contributor
‎04-24-2017 03:12 PM

I have multiple single value number panels I want to combine into one table, I want my table to look somewhat like this:

alt text
I have these few searches as single panels that I want to put into the table, I also wanted to create a description spot for each of the single panels rows. I attempted to do this with Join then added an appendcols for the description but was unsuccessful any ideas?

|inputlookup blah.csv |search "Match on SCCM"=FALSE |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |table "SCCM Store" Store_Number Store_Desc "Match on SCCM" "Serial number" Mac_Address |stats count by "Match on SCCM" |stats sum(count)

|inputlookup blah.csv | search Status!="In use" |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "SCCM IP Address" as IP_Address| table Store_Number Mac_Address  "IP_Address" "Status" |dedup Mac_Address |dedup "Store_Number" |stats count by "Store_Number" |stats sum(count) as count

|inputlookup blah.csv |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "Windows OS Version" as Windows_Version | search Windows_Version!=10.* | sort "Store_Number" - 0|table Store_Number Mac_Address   "Windows_Version" |stats count by Windows_Version |stats sum(count) as count

Any ideas?

Preview file
1 KB
0 Karma
Reply

adonio
Ultra Champion
‎04-24-2017 07:13 PM

break this down:

|inputlookup blah.csv

combine all the | rename to one using commas

|rename "Assets Store #" as Store_Number, "Assets Store Desc" as Store_Desc, mac as Mac_Address, "SCCM IP Address" as IP_Address, "Windows OS Version" as Windows_Version

search for the events we want:

|search Windows_Version!=10.* OR Status!="In use" OR "Match on SCCM"=FALSE

count by the fields we need:

|stats count by Windows_Version "Store_Number" "Match on SCCM"

you can add the | sum(count) or maybe | table count depends on how you would like the results presented

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...