Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use the Format search command

lpolo
Motivator
‎07-15-2011 05:08 AM

How to use the "Format" search commands using the optinal arguments....

The documentation does not show how to use the optional arguments for this command.

searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| format

Result set:
( ( Query="3818" ) OR ( Number="9184" ) )

I would like to format this result set as follow:

query Number
3818 9184

Tags (1)
Reply

Lamar
Splunk Employee
Splunk Employee
‎05-20-2014 04:14 PM

Use transpose to do that.


searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| transpose

0 Karma
Reply

splunker12er
Motivator
‎05-20-2014 03:55 PM

Try like this :

index=* | stats values(sourcetype) as sourcetype by host | join [search index=* | stats values(source) as source by host]

0 Karma
Reply

lpolo
Motivator
‎07-18-2011 06:59 AM

Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think I was not clear in my previous post. I have two similar queries:

query 1:
sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1

query 2:
sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2

how can I get in one query both results set preseted in a table without using append or appendcols commands: example

Query 1 Query 2
125 254

thanks,
Lp

0 Karma
Reply

mw
Splunk Employee
Splunk Employee
‎07-15-2011 01:27 PM

It actually does explain the arguments, which are 6 separate strings:

Optional arguments

<string>
  Syntax: "<string>"
  Description: These six optional string arguments correspond to: ["<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"]. By default, when you don't specify any strings, the format output defaults to: "(" "(" "AND" ")" "OR" ")"

The format command is really used in the creation of a search, which is why it will join all rows and columns to create a valid search string. Is that what you're doing here, or are you just looking to get a string to output on a dashboard? If it's the latter, something like this would probably work better. I don't see any reason to use that append subsearch either:

searchsourcetype="tvs-a9-request" 
  | stats dc(TextQuery) as Query count(MAC) as Number 
  | strcat "Query Number " Query " " Number my_new_string
Reply

lpolo
Motivator
‎07-18-2011 07:03 AM

Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think, I was not clear in my previous post. I have two similar queries:

query 1: sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1

query 2: sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2

How can I get in one query both results sets preseted in a table without using append or appendcols commands: example

Query 1 Query 2
125 254

thanks,
Lp

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...