- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to combine 4 columns int...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to combine 4 columns into one total column?
Hi
I'm new to the community and to Splunk. I am trying to combine the 4 columns my search creates into one total column or one column that is separated by the 4 search terms (it's one column with different colors for the different search terms) . This is my search term below: (This creates 4 columns: CREATED, LINKED, Session_Cancelled, and Session_Failed)
index=company_myapp REQUEST_URL:*payment/myapp* AND (REQUEST_METHOD:PUT OR REQUEST_METHOD:POST) AND (CURRENT_STATUS:CREATED OR CURRENT_STATUS:LINKED OR CURRENT_STATUS:SESSION_*) | rex "CURRENT_STATUS:(?.*)" |stats count by status_name
I tried this, but Splunk said index is not a search term.
index=company_myapp REQUEST_URL:*payment/myapp* AND (REQUEST_METHOD:PUT OR REQUEST_METHOD:POST) AND (CURRENT_STATUS:CREATED OR CURRENT_STATUS:LINKED OR CURRENT_STATUS:SESSION_*) | rex "CURRENT_STATUS:(?.*)" |stats count by status_name | append [index=company_myapp REQUEST_URL:*payment/myapp* | stats count by URL]
Any suggestions, ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this gives you what you are looking for
index=company_myapp REQUEST_URL:*payment/myapp* AND (REQUEST_METHOD:PUT OR REQUEST_METHOD:POST) AND (CURRENT_STATUS:CREATED OR CURRENT_STATUS:LINKED OR CURRENT_STATUS:SESSION_*) | rex "CURRENT_STATUS:(?.*)" | stats latest(status_name) as status by url
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This returned "no data"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does your data have status_name and url fields extracted? If no, those need to be extracted using rex or some other method.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Subsearches have to start with the command search. So this should work:
index=company_myapp REQUEST_URL:*payment/myapp* AND
(REQUEST_METHOD:PUT OR REQUEST_METHOD:POST) AND
(CURRENT_STATUS:CREATED OR CURRENT_STATUS:LINKED OR CURRENT_STATUS:SESSION_*)
| rex "CURRENT_STATUS:(?<status_name>.*)"
| stats count by status_name
| append [search index=company_myapp REQUEST_URL:*payment/myapp* | stats count by URL]
Edit:
Your rex command is wrong in this. Sorry no testing ground at the moment.
Not sure about the field name status_name.
If all fails, do you have some example events (sanitized) to show?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This returned the original graph to me
Get Schooled with Splunk Education: Explore Our Latest Courses
Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL
Buttercup Games: Further Dashboarding Techniques (Part 5)
