Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to format results getting from multiple append?

MrIncredible
Explorer
‎01-06-2023 03:15 AM

Query:

index="web_app" (application= "abc-dxn-message-api" AND tracepoint= "START") (facility="d55075aaedc86d6577676605c0b5f3c0" OR "XYZ") | stats count as Input
|append [search (application= "hum-message-api" AND tracepoint= "END") (facility="d55075aaedc86d6577676605c0b5f3c0" OR "XYZ") | stats count as Processed]
|append [search (facility="d55075aaedc86d6577676605c0b5f3c0" OR "XYZ") "ERROR" | stats count as Error]
| transpose column_name="Bundle"

Current Result: 4 columns * 3 rows

MrIncredible_0-1673003404390.png

 

Expected Result: 2 columns * 3 rows

Bundle    Count

Input           x

Error            x

Processed x

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-06-2023 05:17 AM

It's not "(*) AS *" but you need to take whole "values(*) AS *". It's a useful shorthand in splunk stats which works twofold.

Firstly - values(*) can be used to specify the same aggregation on all fields (or a subset of fields if you only match field names partially. This way you can avoid specifying multiple fields explicitly which makes the search easier to read and you can account for field names that you don't know the names beforehand. You just write values(*) and let splunk worry about the field names - you'll get a separate aggregation on each field that there is.

So that's one thing.

Secondly, we have wildcarded rename (the "AS" part). Without it we would get columns with names "values(Input)", "values(Processed)", and "values(Bundle)". We could live with that but it's not a pretty solution. So we apply the rename which - in case we use our stats with wildcard - can also take wildcard as argument which means that for each "source" column we will name the resulting column the same.

View solution in original post

Reply
Solved! Jump to solution

MrIncredible
Explorer
‎01-06-2023 05:19 AM

Thanks very much @PickleRick for explanation.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎01-06-2023 03:39 AM

OK. Let me help you understand what's going on.

You have three separate searches which produce diffently named field in the output.

Just remove the final transpose from your command and you'll see.

You'll get something like

InputProcessedBundle
123  
 432 
  12

 

Which is perfectly understandable.

Now if you transpose it you just change the rows to columns and vice versa so you're getting a half-empty table.

What you need is to "compact" your results before calling transpose so you have just one row which after transposition will get to be one column.

So the easiest way is to do

| stats values(*) as *

That way you'll get just one row in your results with all the fields set by your appended subsearches. Now you can freely transpose this row if you wish 🙂

0 Karma
Reply
Solved! Jump to solution

MrIncredible
Explorer
‎01-06-2023 04:15 AM

Thanks @PickleRick its working but do you mind if I ask you to explain this part a bit "stats values(*) as *" specially (*) as *.  🙂

 

TIA

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎01-06-2023 05:17 AM

It's not "(*) AS *" but you need to take whole "values(*) AS *". It's a useful shorthand in splunk stats which works twofold.

Firstly - values(*) can be used to specify the same aggregation on all fields (or a subset of fields if you only match field names partially. This way you can avoid specifying multiple fields explicitly which makes the search easier to read and you can account for field names that you don't know the names beforehand. You just write values(*) and let splunk worry about the field names - you'll get a separate aggregation on each field that there is.

So that's one thing.

Secondly, we have wildcarded rename (the "AS" part). Without it we would get columns with names "values(Input)", "values(Processed)", and "values(Bundle)". We could live with that but it's not a pretty solution. So we apply the rename which - in case we use our stats with wildcard - can also take wildcard as argument which means that for each "source" column we will name the resulting column the same.

Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
Top