Splunk Search

How to use the Format search command

Motivator

How to use the "Format" search commands using the optinal arguments....

The documentation does not show how to use the optional arguments for this command.

searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| format

Result set:
( ( Query="3818" ) OR ( Number="9184" ) )

I would like to format this result set as follow:

query Number
3818 9184

Tags (1)

Splunk Employee
Splunk Employee

Use transpose to do that.


searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| transpose

0 Karma

Motivator

Try like this :

index=* | stats values(sourcetype) as sourcetype by host | join [search index=* | stats values(source) as source by host]

0 Karma

Motivator

Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think I was not clear in my previous post. I have two similar queries:

query 1:
sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1

query 2:
sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2

how can I get in one query both results set preseted in a table without using append or appendcols commands: example

Query 1 Query 2
125 254

thanks,
Lp

0 Karma

Splunk Employee
Splunk Employee

It actually does explain the arguments, which are 6 separate strings:

Optional arguments

<string>
  Syntax: "<string>"
  Description: These six optional string arguments correspond to: ["<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"]. By default, when you don't specify any strings, the format output defaults to: "(" "(" "AND" ")" "OR" ")"

The format command is really used in the creation of a search, which is why it will join all rows and columns to create a valid search string. Is that what you're doing here, or are you just looking to get a string to output on a dashboard? If it's the latter, something like this would probably work better. I don't see any reason to use that append subsearch either:

searchsourcetype="tvs-a9-request" 
  | stats dc(TextQuery) as Query count(MAC) as Number 
  | strcat "Query Number " Query " " Number my_new_string 

Motivator

Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think, I was not clear in my previous post. I have two similar queries:

query 1: sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1

query 2: sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2

How can I get in one query both results sets preseted in a table without using append or appendcols commands: example

Query 1 Query 2
125 254

thanks,
Lp

0 Karma