Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

,Stats count result naming

TCK101
New Member
‎12-27-2017 01:55 AM

I have a number of saved searches - and I am appending all the counts to form a total which works fine

|savedsearch "Service 1" | stats count
| append [savedsearch "Service 2" | stats count]

| append [savedsearch "Service 3" | stats count]

|stats sum(count)

Basically I would now like to have a time chart of this and bar contain the weekly total each of the saved searches and have the counts for each saved search as service 1 , service 2, service 3

|savedsearch "Service 1" | stats count
| append [savedsearch "Service 2" | stats count]

| append [savedsearch "Service 3" | stats count]

|timechart span=1w count by ???

would I need to eval each saved search?

Tags (1)
0 Karma
Reply

TCK101
New Member
‎02-03-2018 03:09 AM

Thanks

how would I be able to split each of the Service1 service 2 and service 3 as their OWN line / bar in the timechart result?

0 Karma
Reply

somesoni2
Revered Legend
‎12-27-2017 08:17 AM

Try like this

|savedsearch "Service 1" | timechart span=1w count as Service1
| append [| savedsearch "Service 2" | timechart span=1w count as Service2 ] 
| append [| savedsearch "Service 3" | timechart span=1w count as Service3] 
| timechart span=1w sum(*) as *

Please note that for timechart command to work, you need _time field so ensure that your savedsearch results contain _time field.

Reply

micahkemp
Champion
‎12-27-2017 08:27 AM

It's important to note that in @somesonie2's response he used timechart instead of stats in the append search. The search posted in the original question used stats, which would definitely drop _time from the results, preventing you from using timechart further down the search.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-27-2017 02:20 AM

HI @TCK101,

Can you please try this?

|savedsearch "Service 1" | eval mysavedsearch="Service 1"
| append [savedsearch "Service 2" | eval mysavedsearch="Service 2" ] 
| append [savedsearch "Service 3" | eval mysavedsearch="Service 3"] 
|timechart span=1w count by mysavedsearch
0 Karma
Reply

TCK101
New Member
‎12-27-2017 07:13 AM

This does not work.

Note I have 3 saved searches .

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...