Solved: Re: appendcols in same column different rows

hagjos43 · ‎05-06-2014

Currently I have a long query that gives me the results that I want, but not in the order that I want. Here is my sample query:

search xyz| appendcols [search abc ]| appendcols [search 123 ]| appendcols [search 098]

Results:

xyz    |   abc    |    123    |    098

I would like them to be listed as such:

xyz
abc
123
098

All within the same column, but different rows. Is this possible?

lguinn2 · ‎05-08-2014

Try this

searchstring | stats count(utma) as Value | eval Metric="Total Visits" 
| append [search searchstring | stats dc(utma) as Value | eval Metric="Total Visitors"]
| append [search searchstring | stats count by date_wday 
          | stats avg(count) as Value | eval Metric="Average Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday 
          | stats avg(count) as Value | eval Metric = "Average Page Visit by Day"] 
| append [search searchstring | stats count by date_wday 
          | stats median(count) as Value | eval Metric="Median Page Views by Day"] 
| append [search searchstring | stats dc(utma) as count by date_wday
          | stats median(count) as Value | eval Metric="Median Page Visits by Day"]

View solution in original post

lguinn2 · ‎05-08-2014

Try this

searchstring | stats count(utma) as Value | eval Metric="Total Visits" 
| append [search searchstring | stats dc(utma) as Value | eval Metric="Total Visitors"]
| append [search searchstring | stats count by date_wday 
          | stats avg(count) as Value | eval Metric="Average Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday 
          | stats avg(count) as Value | eval Metric = "Average Page Visit by Day"] 
| append [search searchstring | stats count by date_wday 
          | stats median(count) as Value | eval Metric="Median Page Views by Day"] 
| append [search searchstring | stats dc(utma) as count by date_wday
          | stats median(count) as Value | eval Metric="Median Page Visits by Day"]

hagjos43 · ‎05-09-2014

Perfect! Thanks!

hagjos43 · ‎05-08-2014

Append didn't quite do it. And OR does not work for this.

Here is my searchstring:

searchstring | chart count(utma) as
"Total Visits" | appendcols [search
searchstring |dedup utma| chart
count(utma) as "Total Visitors"]|
appendcols [search searchstring |
chart count by date_wday | stats
avg(count) as "Average Page Views by
Day"] | appendcols [search
searchstring | dedup utma |chart count
by date_wday | stats avg(count) as
"Average Page Visit by Day"] |
appendcols [search searchstring |
chart count by date_wday | stats
median(count) as "Median Page Views by
Day"] | appendcols [search
searchstring |dedup utma| chart count
by date_wday | stats median(count) as
"Median Page Visits by Day"]**

somesoni2 · ‎05-08-2014

The field name generated by each search/subsearch is different hence append doesn't work. What should be your expected output? Should it be like this?

Metrics ##This is header

Total Visits- value
Total Visitors-value
Average Page Views by Day-value
Average Page Visit by Day-value
Median Page Views by Day-value
Median Page Visits by Day-value

(along with name of value being shown)
OR just the values?

somesoni2 · ‎05-06-2014

You should use append instead on appendcols.

lguinn2 · ‎05-06-2014

Why not do this

xyz OR abc OR 123 OR 098

If the xyz represents a complicated search, put parenthesis around it.

If you must do subsearches, use append instead of appendcols - BUT you shouldn't need subsearches for this.
And subsearches are less efficient and have significant limitations.

appendcols in same column different rows

Metrics ##This is header

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes