Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

column data output is going to next row

shashidharh
Explorer
‎11-04-2020 02:28 AM

Hi,

Here is my query:

| search SRCreateRequest Completed | stats count as CreateSR
| appendcols [search SRUpdateRequest Completed | stats count as UpdateSR]
| appendcols [search SRPublishRequest Completed | stats count as PublishSR]
| transpose header_field=a

| appendcols [search SRCreateRequest ERROR | stats count as Failure]
| append [search SRUpdateRequest ERROR | stats count as Failure]
| append [search RPublishRequest ERROR | stats count as Failure]
| appendcols [search SRCreateRequest response | stats count as Response]
| append [search SRUpdateRequest response | stats count as Response]
| append [search RPublishRequest response | stats count as Response]
| rename "column" as "API", "row 1" as "Success" | table API,Success,Failure,Responsewrong output.PNG

 



 

Output is not coming in to proper table.. any suggestion

 

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎11-04-2020 01:20 PM

Added these lines

my query will run just itself.

please do not add your query.

0 Karma
Reply

shashidharh
Explorer
‎11-04-2020 08:56 PM

Hi,

yes, I tried.. but I am getting following screens.

If I have less time range, then it is showing only 2 rows and if increase time range,then extra columns showing like NULL,200 etc.

I wanted to have only 3 rows and 3 columns ..

2 items.PNGother columns.PNG

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2020 11:57 PM

Your first table suggests insufficient data to find all 3 values of each dimension. The second table suggests you already have a field called status. Based on @to4kawa suggestion, try

 

(SRCreateRequest OR SRUpdateRequest OR SRPublishRequest) (Completed OR ERROR OR response)
| rex "(?<API>SRCreateRequest|SRUpdateRequest|SRPublishRequest)"
| rex "(?<CERstatus>Completed|ERROR|response)"
| chart count by API CERstatus

 

0 Karma
Reply

shashidharh
Explorer
‎11-10-2020 01:26 AM

Hi,

using @ITWhisperer , I am getting extra column "NULL" which was not expected.

Even I tried using same with dashboard query & it not working.

I tried to use server name in the query..

host=server1 (SRCreateRequest OR SRUpdateRequest OR SRPublishRequest) (Completed OR ERROR OR response)

something I am doing wrong ?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2020 02:03 AM

Rather than using chart, for now try stats so you can more easily look at the where the null is coming from

host=server1 (SRCreateRequest OR SRUpdateRequest OR SRPublishRequest) (Completed OR ERROR OR response)
| rex "(?<API>SRCreateRequest|SRUpdateRequest|SRPublishRequest)"
| rex "(?<CERstatus>Completed|ERROR|response)"
| stats count by API CERstatus

Is there something different about the events where the nulls are being reported? Do you have any multi-value fields in your events? 

0 Karma
Reply

shashidharh
Explorer
‎11-10-2020 02:32 AM

yes,I do have multi value fields in the events..

BTW in this query,for 'completed' it is not coming ,only ERROR & Response is coming.

If less time range,where result is there then only it is showing , needs to display all 3 columns (if no data,'zero' has to display)

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-10-2020 03:57 AM

Splunk doesn't count what isn't there so you will have to append extra results with zero counts then sum them with your existing results.

0 Karma
Reply

shashidharh
Explorer
‎11-13-2020 03:09 AM

able to remove another column "NULL" using  " where isnotnull(status)"

But, if I tried with in dashboard , getting an error ,although it was working fine with any other search

"Error parsing XML on line 48: Premature end of data in tag form line 1"

 

 

0 Karma
Reply

to4kawa
Ultra Champion
‎11-13-2020 03:22 AM

Your tag didn't close.

0 Karma
Reply

to4kawa
Ultra Champion
‎11-04-2020 03:25 AM

(SRCreateRequest OR SRUpdateRequest OR SRPublishRequest) (Completed OR ERROR OR response)
| rex "(?<API>SRCreateRequest|SRUpdateRequest|SRPublishRequest)"
| rex "(?<status>Completed|ERROR|response)"
| chart count by API status

It's OK, I guess.

0 Karma
Reply

shashidharh
Explorer
‎11-04-2020 03:54 AM

Hi,

Added these lines and output is coming NULL instead of status.

something I am doing wrong ?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...