Splunk Search

appendcols in same column different rows

hagjos43
Contributor

Currently I have a long query that gives me the results that I want, but not in the order that I want. Here is my sample query:

search xyz| appendcols [search abc ]| appendcols [search 123 ]| appendcols [search 098]

Results:

xyz    |   abc    |    123    |    098

I would like them to be listed as such:

xyz
abc
123
098

All within the same column, but different rows. Is this possible?

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

Try this

searchstring | stats count(utma) as Value | eval Metric="Total Visits" 
| append [search searchstring | stats dc(utma) as Value | eval Metric="Total Visitors"]
| append [search searchstring | stats count by date_wday 
          | stats avg(count) as Value | eval Metric="Average Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday 
          | stats avg(count) as Value | eval Metric = "Average Page Visit by Day"] 
| append [search searchstring | stats count by date_wday 
          | stats median(count) as Value | eval Metric="Median Page Views by Day"] 
| append [search searchstring | stats dc(utma) as count by date_wday
          | stats median(count) as Value | eval Metric="Median Page Visits by Day"]

View solution in original post

lguinn2
Legend

Try this

searchstring | stats count(utma) as Value | eval Metric="Total Visits" 
| append [search searchstring | stats dc(utma) as Value | eval Metric="Total Visitors"]
| append [search searchstring | stats count by date_wday 
          | stats avg(count) as Value | eval Metric="Average Page Views by Day"]
| append [search searchstring | stats dc(utma) as count by date_wday 
          | stats avg(count) as Value | eval Metric = "Average Page Visit by Day"] 
| append [search searchstring | stats count by date_wday 
          | stats median(count) as Value | eval Metric="Median Page Views by Day"] 
| append [search searchstring | stats dc(utma) as count by date_wday
          | stats median(count) as Value | eval Metric="Median Page Visits by Day"]

hagjos43
Contributor

Perfect! Thanks!

0 Karma

hagjos43
Contributor

Append didn't quite do it. And OR does not work for this.

Here is my searchstring:

searchstring | chart count(utma) as
"Total Visits" | appendcols [search
searchstring |dedup utma| chart
count(utma) as "Total Visitors"]|
appendcols [search searchstring |
chart count by date_wday | stats
avg(count) as "Average Page Views by
Day"] | appendcols [search
searchstring | dedup utma |chart count
by date_wday | stats avg(count) as
"Average Page Visit by Day"] |
appendcols [search searchstring |
chart count by date_wday | stats
median(count) as "Median Page Views by
Day"] | appendcols [search
searchstring |dedup utma| chart count
by date_wday | stats median(count) as
"Median Page Visits by Day"]**

0 Karma

somesoni2
Revered Legend

The field name generated by each search/subsearch is different hence append doesn't work. What should be your expected output? Should it be like this?

Metrics ##This is header

Total Visits- value
Total Visitors-value
Average Page Views by Day-value
Average Page Visit by Day-value
Median Page Views by Day-value
Median Page Visits by Day-value

(along with name of value being shown)
OR just the values?

0 Karma

somesoni2
Revered Legend

You should use append instead on appendcols.

lguinn2
Legend

Why not do this

xyz OR abc OR 123 OR 098

If the xyz represents a complicated search, put parenthesis around it.

If you must do subsearches, use append instead of appendcols - BUT you shouldn't need subsearches for this.
And subsearches are less efficient and have significant limitations.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...