Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to visualize all the search I put using the search command?

matcad81
New Member
‎11-24-2022 02:09 AM

HI All,

I would like to visualize all the search fields/content I mentioned using the command search:

index=* 

| search (Apps=value1 Or Apps=value2 OR Apps=value3)

| stats count by Apps

Apps count

value1

 5
value2 0
value3 0

 

So, I want to see all the values I have mentioned in the search, even if they were not found (adding for example a 0 count)

Is it possible?

Thank you in advance.

Matteo

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-24-2022 07:11 PM

A typical way to show information that does NOT exist in Splunk is to include what you want to look for in a lookup and then do something like this

index=* [ | inputlookup my_list_of_apps.csv | fields Apps ]
| stats count by Apps
| append [
    | inputlookup my_list_of_apps.csv
    | fields Apps
    | eval count=0
]
| stats max(count) as count by Apps

which first searches for the apps in your lookup, then after that search is done, appends all the apps from the lookup with a count of 0 and then it "joins" them together and takes the max count. If there is no count originally, it will be 0

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-24-2022 05:18 PM

There are many ways to manipulate display.  One can be transpose.

| transpose header_field=Apps column_name=Apps
| foreach value1 value2 value3
    [eval <<FIELD>> = if(isnull(<<FIELD>>), 0, <<FIELD>>)]
| transpose header_field=Apps column_name=Apps

 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...