Splunk Search

can i convert in to tabular data in to single record

rakesh_498115
Motivator

my search results are displayed as table . some thing like this..

host sourcetype count
acer splunkd 614130
acer splunkd_access 17963
acer splunk_web_access 11289
acer splunk_web_service 1922
acer splunk_btool 1288
acer searches 87
acer first_install-too_small 4
acer splunk_intentions 2
acer splunk_version 1

Now i want the count field to be sorted in ascending order..so i have used the sort query to my ouput table...now i need the table to print as a single record as below...

host splunkd splunkd_access ...

acer 614130 17963 ...
Tried chart command ...but couldnt get the result.plz help.

Tags (3)
0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

sure. The easiest way is to tack this on the end:

| chart sum(count) as count over host by sourcetype

However, assuming that the search generating your current results is something like

stats count by host sourcetype

then the much more elegant way is to replace that stats clause, with this chart clause:

chart count over host by sourcetype

and if there are really more than the one host in your dataset, but you only want to show the single highest source, you would fit the sort and head operators in there, as necessary.

View solution in original post

Ayn
Legend

As stated earlier, I believe you cannot sort the column order.

rakesh_498115
Motivator

dont we have any other way to acheive this !

0 Karma

sideview
SplunkTrust
SplunkTrust

sure. The easiest way is to tack this on the end:

| chart sum(count) as count over host by sourcetype

However, assuming that the search generating your current results is something like

stats count by host sourcetype

then the much more elegant way is to replace that stats clause, with this chart clause:

chart count over host by sourcetype

and if there are really more than the one host in your dataset, but you only want to show the single highest source, you would fit the sort and head operators in there, as necessary.

rakesh_498115
Motivator

actually the table which i mentioned doesnt show the records in sorted order..so have sort command followed by the stats..and then tried to use the chart command..But i am not getting the desired results..

I have used something like this..

stats count by host sourcetype | sort - count | chart count over host by sourcetype

but then i couldnt see the results in sorted order..

0 Karma

sideview
SplunkTrust
SplunkTrust

I'm not sure what part of my answer wasn't clear, or didn't answer your question?

0 Karma

rakesh_498115
Motivator

I want to display the results in the sorted order..so i am using the sort command..and these results should be displayed as a single record..so using chart command again...plz help

0 Karma

sideview
SplunkTrust
SplunkTrust

Note that I said if you are appending it after the stats, you will have to use "chart sum(count) as count". It's only if you're replacing the stats that you can use "chart count". There's really no reason to do the stats, and then a sort, and then a chart. As I said the much better way is to replace the stats with the chart, and I don't think I completely understand what you're trying to do with the sort.

0 Karma

rakesh_498115
Motivator

i would like to use the sort command ..after the

stats count by host sourcetype | sort - count

now when i am trying to append

chart count over host by sourcetype

i am not getting the results...

i have used like this ..

index=_internal [some logic] | stats count by host sourcetype | sort - count | chart count over host by sourcetype

but this didnt work..need the complete query using sort..thanx in advance.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...