How to separate out basic search of Splunk in two ...

AjayTakur · ‎04-26-2023

I am new to Splunk and facing an issue in separating out the two columns of the query. I tried with the below query and found the results as shown below in table1

...|
append [search index="pd" "successful" "notif/output/" | stats count by _raw |fields count | rename _raw as Dtransfer] | 
append [search index="pd" "SBID=nr" "DM" "PAM=sende" "notif/archive/" | stats count by _raw |fields count | rename _raw as DMCopy]

How do I achieve the expected result shown in Table 2? I need to display two separate columns DtransferCount and DMCopyCount

richgalloway · ‎04-26-2023

Specify the name of the count field in the stats commands.

...|
append [search index="pd" "successful" "notif/output/" | stats count as DtransferCount by _raw |fields DtransferCount | rename _raw as Dtransfer] | 
append [search index="pd" "SBID=nr" "DM" "PAM=sende" "notif/archive/" | stats count as DDMCopyCount by _raw |fields DDMCopyCount | rename _raw as DMCopy]

---
If this reply helps you, Karma would be appreciated.

How to separate out basic search of Splunk in two different columns?

count

eval

field extraction

fields

join

regex

stats

table

tstats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation

How to separate out basic search of Splunk in two different columns?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.