Splunk Search

How to search the results produced by the multireport command?

jlkokko
Path Finder

I have the following search:

index="main" |rename Proj_repo AS Project | multireport [ stats values(Project) AS Projects BY Author ][ stats values(Author) AS Team BY Project ] 

that provides a combined result set for which I need to search each Author against Team to get a combined set of Team values for the author (in other words, everyone the author has worked with).

I've tried various forms of foreach and map, but to no avail. I've additionally tried comma delimiting the Team values since it's a mutlivalue field.

Suggestions on how to search the results of the multireport? Thanks!

0 Karma
1 Solution

somesoni2
Revered Legend

Give this a try

index=main | stats count by Proj_repo Author |rename Proj_repo AS Project | eventstats values(Author) as Authors by Project | stats values(Authors) as Team by Author

View solution in original post

somesoni2
Revered Legend

Give this a try

index=main | stats count by Proj_repo Author |rename Proj_repo AS Project | eventstats values(Author) as Authors by Project | stats values(Authors) as Team by Author

View solution in original post

somesoni2
Revered Legend

Give this a try as well (may be little faster)

index=main | stats values(Proj_repo) as Projects by Author | eventstats values(Author) as Team by Projects | stats values(Team) as Team by Author | eval MemberCount=mvcount(Team)
0 Karma

landen99
Motivator

Do you have a link to the documentation on multireport? I don't see it here: https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/WhatsInThisManual

0 Karma

gjanders
SplunkTrust
SplunkTrust

multireport is unlikely to be documented unfortunately, they are more likely to create a new search command...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

jlkokko
Path Finder

Exactly what I needed. Can you explain the need for stats count? I'm not sure I understand its use in the equation.

0 Karma

somesoni2
Revered Legend

The stats count was to remove the duplicate combination of Project and Author. You can use dedup command as well. I generally prefer to remove unwanted results as soon as possible, to avoid extra processing.

0 Karma

jlkokko
Path Finder

As the first count is not displayed, I simplified it a bit and added the counts on the end:

index=main | eventstats values(Author) as Authors by Proj_repo | stats values(Authors) as Team by Author | eval People = mvcount(Team)
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!