Splunk Search

appendcols in same column different rows

Contributor

Currently I have a long query that gives me the results that I want, but not in the order that I want. Here is my sample query:

search xyz| appendcols [search abc ]| appendcols [search 123 ]| appendcols [search 098]

Results:

xyz    |   abc    |    123    |    098

I would like them to be listed as such:

xyz
abc
123
098

All within the same column, but different rows. Is this possible?

Tags (1)
0 Karma
1 Solution

Legend

Try this

searchstring | stats count(utma) as Value | eval Metric="Total Visits" 
| append [search searchstring | stats dc(utma) as Value | eval Metric="Total Visitors"]
| append [search searchstring | stats count by date_wday 
          | stats avg(count) as Value | eval Metric="Average Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday 
          | stats avg(count) as Value | eval Metric = "Average Page Visit by Day"] 
| append [search searchstring | stats count by date_wday 
          | stats median(count) as Value | eval Metric="Median Page Views by Day"] 
| append [search searchstring | stats dc(utma) as count by date_wday
          | stats median(count) as Value | eval Metric="Median Page Visits by Day"]

View solution in original post

Legend

Try this

searchstring | stats count(utma) as Value | eval Metric="Total Visits" 
| append [search searchstring | stats dc(utma) as Value | eval Metric="Total Visitors"]
| append [search searchstring | stats count by date_wday 
          | stats avg(count) as Value | eval Metric="Average Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday 
          | stats avg(count) as Value | eval Metric = "Average Page Visit by Day"] 
| append [search searchstring | stats count by date_wday 
          | stats median(count) as Value | eval Metric="Median Page Views by Day"] 
| append [search searchstring | stats dc(utma) as count by date_wday
          | stats median(count) as Value | eval Metric="Median Page Visits by Day"]

View solution in original post

Contributor

Perfect! Thanks!

0 Karma

Contributor

Append didn't quite do it. And OR does not work for this.

Here is my searchstring:

searchstring | chart count(utma) as
"Total Visits" | appendcols [search
searchstring |dedup utma| chart
count(utma) as "Total Visitors"]|
appendcols [search searchstring |
chart count by date_wday | stats
avg(count) as "Average Page Views by
Day"] | appendcols [search
searchstring | dedup utma |chart count
by date_wday | stats avg(count) as
"Average Page Visit by Day"] |
appendcols [search searchstring |
chart count by date_wday | stats
median(count) as "Median Page Views by
Day"] | appendcols [search
searchstring |dedup utma| chart count
by date_wday | stats median(count) as
"Median Page Visits by Day"]**

0 Karma

Revered Legend

The field name generated by each search/subsearch is different hence append doesn't work. What should be your expected output? Should it be like this?

Metrics ##This is header

Total Visits- value
Total Visitors-value
Average Page Views by Day-value
Average Page Visit by Day-value
Median Page Views by Day-value
Median Page Visits by Day-value

(along with name of value being shown)
OR just the values?

0 Karma

Revered Legend

You should use append instead on appendcols.

Legend

Why not do this

xyz OR abc OR 123 OR 098

If the xyz represents a complicated search, put parenthesis around it.

If you must do subsearches, use append instead of appendcols - BUT you shouldn't need subsearches for this.
And subsearches are less efficient and have significant limitations.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!