Re: Visualize all the search I put using the searc...

matcad81 · ‎11-24-2022

HI All,

I would like to visualize all the search fields/content I mentioned using the command search:

index=*

| search (Apps=value1 Or Apps=value2 OR Apps=value3)

| stats count by Apps

Apps	count
value1	5
value2	0
value3	0

So, I want to see all the values I have mentioned in the search, even if they were not found (adding for example a 0 count)

Is it possible?

Thank you in advance.

Matteo

bowesmana · ‎11-24-2022

A typical way to show information that does NOT exist in Splunk is to include what you want to look for in a lookup and then do something like this

index=* [ | inputlookup my_list_of_apps.csv | fields Apps ]
| stats count by Apps
| append [
    | inputlookup my_list_of_apps.csv
    | fields Apps
    | eval count=0
]
| stats max(count) as count by Apps

which first searches for the apps in your lookup, then after that search is done, appends all the apps from the lookup with a count of 0 and then it "joins" them together and takes the max count. If there is no count originally, it will be 0

yuanliu · ‎11-24-2022

There are many ways to manipulate display. One can be transpose.

| transpose header_field=Apps column_name=Apps
| foreach value1 value2 value3
    [eval <<FIELD>> = if(isnull(<<FIELD>>), 0, <<FIELD>>)]
| transpose header_field=Apps column_name=Apps

How to visualize all the search I put using the search command?

field extraction

stats

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!