Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to merge my data into single row, also I want to add the trendchart based on the date/time, please check below the more details.

krsuraj11
New Member
‎07-17-2019 08:52 AM

index="indexsplunk" host=host* tag="Failure" "Transaction" | stats count as Total
|append [search index="indexsplunk" host=host* tag="Failure" "EFGH" | stats count as Total]

Right now, output is displaying in 2 rows, since I append so one more row added for 2nd search. Please help me getting the data populated in one field and also suggest how to add the date while searching.

0 Karma
Reply

adonio
Ultra Champion
‎07-17-2019 04:14 PM

try this:

(index="indexsplunk" host=host* tag="Failure" "Transaction" ) OR (index="indexsplunk" host=host* tag="ABCD" "EFGH") 
| stats count(eval(tag=="Failure")) as fail_count count(eval(tag=="ABCD")) as adcd_count
0 Karma
Reply

krsuraj11
New Member
‎07-18-2019 12:34 AM

Hi, it gives me the 0 result, actually tag is common for both, can you please check again.

0 Karma
Reply

adonio
Ultra Champion
‎07-18-2019 04:49 AM

try and use this formula, here i use wild cards in eval %Fail% you might not need.

| makeresults count=1000
| eval random_for_text = random()%2
| eval text_to_search = if(random_for_text=="0","Failure","EFGH")
| stats count(eval(like(text_to_search,"%Fail%"))) as fail_count count(eval(like(text_to_search, "%EF%"))) as efgh_count

in your case itll be maybe something like this:
index="indexsplunk" host=host* tag="Failure" "Transaction" ("Failure" OR "EFGH")
| stats count(eval(like(_raw,"Failure"))) as fail_count count(eval(like(_raw, "EFGH"))) as efgh_count
hope it helps

0 Karma
Reply

grittonc
Contributor
‎07-17-2019 09:50 AM

Do the two rows have anything in common?

0 Karma
Reply

krsuraj11
New Member
‎07-18-2019 12:32 AM

Yes, Index, Host and Tag are common, please help

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...