Currently I have a long query that gives me the results that I want, but not in the order that I want. Here is my sample query:
search xyz| appendcols [search abc ]| appendcols [search 123 ]| appendcols [search 098]
Results:
xyz | abc | 123 | 098
I would like them to be listed as such:
xyz
abc
123
098
All within the same column, but different rows. Is this possible?
Try this
searchstring | stats count(utma) as Value | eval Metric="Total Visits"
| append [search searchstring | stats dc(utma) as Value | eval Metric="Total Visitors"]
| append [search searchstring | stats count by date_wday
| stats avg(count) as Value | eval Metric="Average Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday
| stats avg(count) as Value | eval Metric = "Average Page Visit by Day"]
| append [search searchstring | stats count by date_wday
| stats median(count) as Value | eval Metric="Median Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday
| stats median(count) as Value | eval Metric="Median Page Visits by Day"]
Try this
searchstring | stats count(utma) as Value | eval Metric="Total Visits"
| append [search searchstring | stats dc(utma) as Value | eval Metric="Total Visitors"]
| append [search searchstring | stats count by date_wday
| stats avg(count) as Value | eval Metric="Average Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday
| stats avg(count) as Value | eval Metric = "Average Page Visit by Day"]
| append [search searchstring | stats count by date_wday
| stats median(count) as Value | eval Metric="Median Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday
| stats median(count) as Value | eval Metric="Median Page Visits by Day"]
Perfect! Thanks!
Append didn't quite do it. And OR does not work for this.
Here is my searchstring:
searchstring | chart count(utma) as
"Total Visits" | appendcols [search
searchstring |dedup utma| chart
count(utma) as "Total Visitors"]|
appendcols [search searchstring |
chart count by date_wday | stats
avg(count) as "Average Page Views by
Day"] | appendcols [search
searchstring | dedup utma |chart count
by date_wday | stats avg(count) as
"Average Page Visit by Day"] |
appendcols [search searchstring |
chart count by date_wday | stats
median(count) as "Median Page Views by
Day"] | appendcols [search
searchstring |dedup utma| chart count
by date_wday | stats median(count) as
"Median Page Visits by Day"]**
The field name generated by each search/subsearch is different hence append doesn't work. What should be your expected output? Should it be like this?
Total Visits- value
Total Visitors-value
Average Page Views by Day-value
Average Page Visit by Day-value
Median Page Views by Day-value
Median Page Visits by Day-value
(along with name of value being shown)
OR just the values?
You should use append instead on appendcols.
Why not do this
xyz OR abc OR 123 OR 098
If the xyz
represents a complicated search, put parenthesis around it.
If you must do subsearches, use append
instead of appendcols
- BUT you shouldn't need subsearches for this.
And subsearches are less efficient and have significant limitations.