Splunk Search

can i convert in to tabular data in to single record

Motivator

my search results are displayed as table . some thing like this..

host sourcetype count
acer splunkd 614130
acer splunkd_access 17963
acer splunk_web_access 11289
acer splunk_web_service 1922
acer splunk_btool 1288
acer searches 87
acer first_install-too_small 4
acer splunk_intentions 2
acer splunk_version 1

Now i want the count field to be sorted in ascending order..so i have used the sort query to my ouput table...now i need the table to print as a single record as below...

host splunkd splunkd_access ...

acer 614130 17963 ...
Tried chart command ...but couldnt get the result.plz help.

Tags (3)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

sure. The easiest way is to tack this on the end:

| chart sum(count) as count over host by sourcetype

However, assuming that the search generating your current results is something like

stats count by host sourcetype

then the much more elegant way is to replace that stats clause, with this chart clause:

chart count over host by sourcetype

and if there are really more than the one host in your dataset, but you only want to show the single highest source, you would fit the sort and head operators in there, as necessary.

View solution in original post

Legend

As stated earlier, I believe you cannot sort the column order.

Motivator

dont we have any other way to acheive this !

0 Karma

SplunkTrust
SplunkTrust

sure. The easiest way is to tack this on the end:

| chart sum(count) as count over host by sourcetype

However, assuming that the search generating your current results is something like

stats count by host sourcetype

then the much more elegant way is to replace that stats clause, with this chart clause:

chart count over host by sourcetype

and if there are really more than the one host in your dataset, but you only want to show the single highest source, you would fit the sort and head operators in there, as necessary.

View solution in original post

Motivator

actually the table which i mentioned doesnt show the records in sorted order..so have sort command followed by the stats..and then tried to use the chart command..But i am not getting the desired results..

I have used something like this..

stats count by host sourcetype | sort - count | chart count over host by sourcetype

but then i couldnt see the results in sorted order..

0 Karma

SplunkTrust
SplunkTrust

I'm not sure what part of my answer wasn't clear, or didn't answer your question?

0 Karma

Motivator

I want to display the results in the sorted order..so i am using the sort command..and these results should be displayed as a single record..so using chart command again...plz help

0 Karma

SplunkTrust
SplunkTrust

Note that I said if you are appending it after the stats, you will have to use "chart sum(count) as count". It's only if you're replacing the stats that you can use "chart count". There's really no reason to do the stats, and then a sort, and then a chart. As I said the much better way is to replace the stats with the chart, and I don't think I completely understand what you're trying to do with the sort.

0 Karma

Motivator

i would like to use the sort command ..after the

stats count by host sourcetype | sort - count

now when i am trying to append

chart count over host by sourcetype

i am not getting the results...

i have used like this ..

index=_internal [some logic] | stats count by host sourcetype | sort - count | chart count over host by sourcetype

but this didnt work..need the complete query using sort..thanx in advance.

0 Karma