Splunk Search

How to override only specific fields using appendcols?

Maniteja81
New Member

Hi,
Is there a way to only override specific fields only. When i use appendcols override=true, it is overriding all the fields having same name.
But i want to override only few fields not all. Is this possible ?
Please help me on this.

0 Karma
1 Solution

somesoni2
Revered Legend

For what you want to do (combine both the result), appendcols is not the correct command. Logically you want to join both the search result based on column rsti_thumb_print. Splunk has a join command but it's very resource intensive, so I would suggest trying this alternate solution of join, using append and stats command (also made few changes to query to apply some optimizations):

index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Tue_May_29_22_06_37_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_03_45_41_2018_fvcad-jenkins-01_fvcad_ds 
| makemv delim="," version_vector 
|eval success=case((isnotnull(success) AND success="") OR success="0","FAIL",success="1","PASS", success="-1","UNFINISHED", true(),success)
|makemv delim="," version_vector 
| stats list(actual_status) as l_status,list(success) as status ,list(version_vector) as vv by dut_id,rsti_thumb_print 
|search vv="*"
| eval status=coalesce(status,"SCHEDULED")
|stats count(eval(status=="PASS")) as pass_count count(eval(status=="FAIL")) as fail_count count(eval(status=="SCHEDULED")) as incmp_count count(eval("PASS"+"FAIL"+"SCHEDULED")) as total_count by rsti_thumb_print
| append
[search index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds 
| dedup dut_id 
| stats count(dut_id) as max_tests by rsti_thumb_print] 
| stats values(*) as * by rsti_thumb_print
| eval diff=max_tests - total_count | table max_tests total_count diff rsti_thumb_print

View solution in original post

0 Karma

Maniteja81
New Member

Hi Soni,

Thanks for the query, but i wanted the max_tests value to be populated for the rest of the two fields also. If i can populate the max_tests field to the rest of the fields, i can do a subtraction on those rem fields.

Any ideas on how to populate the rest of the fields.

alt text

0 Karma

somesoni2
Revered Legend

For what you want to do (combine both the result), appendcols is not the correct command. Logically you want to join both the search result based on column rsti_thumb_print. Splunk has a join command but it's very resource intensive, so I would suggest trying this alternate solution of join, using append and stats command (also made few changes to query to apply some optimizations):

index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Tue_May_29_22_06_37_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_03_45_41_2018_fvcad-jenkins-01_fvcad_ds 
| makemv delim="," version_vector 
|eval success=case((isnotnull(success) AND success="") OR success="0","FAIL",success="1","PASS", success="-1","UNFINISHED", true(),success)
|makemv delim="," version_vector 
| stats list(actual_status) as l_status,list(success) as status ,list(version_vector) as vv by dut_id,rsti_thumb_print 
|search vv="*"
| eval status=coalesce(status,"SCHEDULED")
|stats count(eval(status=="PASS")) as pass_count count(eval(status=="FAIL")) as fail_count count(eval(status=="SCHEDULED")) as incmp_count count(eval("PASS"+"FAIL"+"SCHEDULED")) as total_count by rsti_thumb_print
| append
[search index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds 
| dedup dut_id 
| stats count(dut_id) as max_tests by rsti_thumb_print] 
| stats values(*) as * by rsti_thumb_print
| eval diff=max_tests - total_count | table max_tests total_count diff rsti_thumb_print
0 Karma

Maniteja81
New Member

Hi Soni,

Here is my full search
index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Tue_May_29_22_06_37_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds OR rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_03_45_41_2018_fvcad-jenkins-01_fvcad_ds | makemv delim="," version_vector |eval success=if(isnotnull(success) and success="","FAIL",success)|eval success=if(success="1","PASS",success)| eval success=if(success="0","FAIL",success) | eval success=if(success="-1","UNFINISHED",success)|makemv delim="," version_vector | stats list(actual_status) as l_status,list(success) as status ,list(version_vector) as vv by dut_id,rsti_thumb_print | eval status=if(isnull(status),"SCHEDULED",status) |search vv="*"|stats count(eval(status=="PASS")) as pass_count count(eval(status=="FAIL")) as fail_count count(eval(status=="SCHEDULED")) as incmp_count count(eval("PASS"+"FAIL"+"SCHEDULED")) as total_count by rsti_thumb_print| appendcols [search index=qvmr_qvmregress_r groupID=qvmr_dev rsti_thumb_print=rsti_fvcad_ds_Thu_May_10_22_06_55_2018_fvcad-jenkins-01_fvcad_ds | dedup dut_id | stats count(dut_id) as max_tests by rsti_thumb_print] | eval diff=max_tests - total_count | table max_tests total_count diff rsti_thumb_print

What i'm trying to achieve from this query is, i want to do a diff on the number of the test-cases present in the golden regression to the reference regression.

But the above query is showing difference for only regression, rest it doesn't show. I'm trying to figure out is there any way to do this.

0 Karma

somesoni2
Revered Legend

If you don't want to override all the fields, in appendcols subsearch, only specify the fields that you want to override.

There may be other/better options, which we can suggest if you could share your current full search.

0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

<P style=" text-align: center; "><span class="lia-inline-image-display-wrapper lia-image-align-center" ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

<FONT size="5"><FONT size="5" color="#FF00FF">Get the latest news and updates from the Splunk Community ...