Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to merge my data into single row, also I want to add the trendchart based on the date/time, please check below the more details.

krsuraj11
New Member
‎07-17-2019 08:52 AM

index="indexsplunk" host=host* tag="Failure" "Transaction" | stats count as Total
|append [search index="indexsplunk" host=host* tag="Failure" "EFGH" | stats count as Total]

Right now, output is displaying in 2 rows, since I append so one more row added for 2nd search. Please help me getting the data populated in one field and also suggest how to add the date while searching.

0 Karma
Reply

adonio
Ultra Champion
‎07-17-2019 04:14 PM

try this:

(index="indexsplunk" host=host* tag="Failure" "Transaction" ) OR (index="indexsplunk" host=host* tag="ABCD" "EFGH") 
| stats count(eval(tag=="Failure")) as fail_count count(eval(tag=="ABCD")) as adcd_count
0 Karma
Reply

krsuraj11
New Member
‎07-18-2019 12:34 AM

Hi, it gives me the 0 result, actually tag is common for both, can you please check again.

0 Karma
Reply

adonio
Ultra Champion
‎07-18-2019 04:49 AM

try and use this formula, here i use wild cards in eval %Fail% you might not need.

| makeresults count=1000
| eval random_for_text = random()%2
| eval text_to_search = if(random_for_text=="0","Failure","EFGH")
| stats count(eval(like(text_to_search,"%Fail%"))) as fail_count count(eval(like(text_to_search, "%EF%"))) as efgh_count

in your case itll be maybe something like this:
index="indexsplunk" host=host* tag="Failure" "Transaction" ("Failure" OR "EFGH")
| stats count(eval(like(_raw,"Failure"))) as fail_count count(eval(like(_raw, "EFGH"))) as efgh_count
hope it helps

0 Karma
Reply

grittonc
Contributor
‎07-17-2019 09:50 AM

Do the two rows have anything in common?

0 Karma
Reply

krsuraj11
New Member
‎07-18-2019 12:32 AM

Yes, Index, Host and Tag are common, please help

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...