How to convert the output of a search with stats command that's generating a table as output to events?
Thus send Events as email alerts, not a chart/table
I will answer my own question here finally found it.
search term | case () | streamstats fieldnames ,_raw,_time
streamstats/event stats takes you to events rather then statistics and calculates the statistics per each even
Lets say you have a
stats count as ProductCount by product_name then stream stats will set ProductCount to 1 for first event then 2 for 2nd event and so on for product_name=Ferrari and if u have a BMW as a product it will reset from 1 again for those events.
I will answer my own question here finally found it.
search term | case () | streamstats fieldnames ,_raw,_time
streamstats/event stats takes you to events rather then statistics and calculates the statistics per each even
Lets say you have a
stats count as ProductCount by product_name then stream stats will set ProductCount to 1 for first event then 2 for 2nd event and so on for product_name=Ferrari and if u have a BMW as a product it will reset from 1 again for those events.
Try this
your current search till stats command | stats count etc values(_raw) as _raw | table count _raw
I downvoted this post because this query is incorrect gives error etc not found
Hi @ashutosharma17
Please do not downvote people who are just trying to help you out here. This is not how voting etiquette works on Splunk Answers. Only downvote users who give you a solution that could be dangerous and possibly break something in your environment. For more background on how community culture works in this forum, visit this previous post:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html
It's difficult for people to give you an accurate answer if you don't provide as much information for them to work with. If you have an existing search with sensitive information, just anonymize anything as necessary so other users can at least see the syntax of the rest of the search string to give you a more complete solution.
My bad @ppablo I am new here .
I just down voted because i thought it set answers to zero so someone don't think its answered already.
no problem, thanks for responding. glad you found your answer and thanks for sharing it with the community.
This is throwing an error actually the stats command is being filtered later on the (amount) and being searched for (amount)>5000
cant optimize this search by moving the search forward as amount calculated on the case which is created in the query
Please share your query
Please reply sundar, still not done yet.
I tried your query without etc but it shows me the count .
I want the EVENT as output like host, sourcetype ,etc , not the chart/table.
cant share it as its a discrete query but the above command is also not working on a simple
query
sourcetype=vendor_sales |stats count by product_name | stats count etc values(_raw) as _raw | table count _raw
saying etc is invalid