Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to search the results produced by the mult...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the following search:
index="main" |rename Proj_repo AS Project | multireport [ stats values(Project) AS Projects BY Author ][ stats values(Author) AS Team BY Project ]
that provides a combined result set for which I need to search each Author against Team to get a combined set of Team values for the author (in other words, everyone the author has worked with).
I've tried various forms of foreach and map, but to no avail. I've additionally tried comma delimiting the Team values since it's a mutlivalue field.
Suggestions on how to search the results of the multireport? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=main | stats count by Proj_repo Author |rename Proj_repo AS Project | eventstats values(Author) as Authors by Project | stats values(Authors) as Team by Author
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
index=main | stats count by Proj_repo Author |rename Proj_repo AS Project | eventstats values(Author) as Authors by Project | stats values(Authors) as Team by Author
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try as well (may be little faster)
index=main | stats values(Proj_repo) as Projects by Author | eventstats values(Author) as Team by Projects | stats values(Team) as Team by Author | eval MemberCount=mvcount(Team)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a link to the documentation on multireport? I don't see it here: https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/WhatsInThisManual
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multireport is unlikely to be documented unfortunately, they are more likely to create a new search command...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly what I needed. Can you explain the need for stats count? I'm not sure I understand its use in the equation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The stats count was to remove the duplicate combination of Project and Author. You can use dedup command as well. I generally prefer to remove unwanted results as soon as possible, to avoid extra processing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As the first count is not displayed, I simplified it a bit and added the counts on the end:
index=main | eventstats values(Author) as Authors by Proj_repo | stats values(Authors) as Team by Author | eval People = mvcount(Team)
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
