Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to merge my data into single row, also I want to add the trendchart based on the date/time, please check below the more details.

krsuraj11
New Member
‎07-17-2019 08:52 AM

index="indexsplunk" host=host* tag="Failure" "Transaction" | stats count as Total
|append [search index="indexsplunk" host=host* tag="Failure" "EFGH" | stats count as Total]

Right now, output is displaying in 2 rows, since I append so one more row added for 2nd search. Please help me getting the data populated in one field and also suggest how to add the date while searching.

0 Karma
Reply

adonio
Ultra Champion
‎07-17-2019 04:14 PM

try this:

(index="indexsplunk" host=host* tag="Failure" "Transaction" ) OR (index="indexsplunk" host=host* tag="ABCD" "EFGH") 
| stats count(eval(tag=="Failure")) as fail_count count(eval(tag=="ABCD")) as adcd_count
0 Karma
Reply

krsuraj11
New Member
‎07-18-2019 12:34 AM

Hi, it gives me the 0 result, actually tag is common for both, can you please check again.

0 Karma
Reply

adonio
Ultra Champion
‎07-18-2019 04:49 AM

try and use this formula, here i use wild cards in eval %Fail% you might not need.

| makeresults count=1000
| eval random_for_text = random()%2
| eval text_to_search = if(random_for_text=="0","Failure","EFGH")
| stats count(eval(like(text_to_search,"%Fail%"))) as fail_count count(eval(like(text_to_search, "%EF%"))) as efgh_count

in your case itll be maybe something like this:
index="indexsplunk" host=host* tag="Failure" "Transaction" ("Failure" OR "EFGH")
| stats count(eval(like(_raw,"Failure"))) as fail_count count(eval(like(_raw, "EFGH"))) as efgh_count
hope it helps

0 Karma
Reply

grittonc
Contributor
‎07-17-2019 09:50 AM

Do the two rows have anything in common?

0 Karma
Reply

krsuraj11
New Member
‎07-18-2019 12:32 AM

Yes, Index, Host and Tag are common, please help

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...