Hello, i'm doing a report (splunk 7.3) in which I need to append some counts in the first row of the table im generating.
this is my query:
myquery | dedup ID| eval DLP_installed=if(match(myDLPTAG, "yes", "no"), DLP_rules_installed=if(match(myDLPrules, "yes", "no") | stats values(DLP_installed) as dlpinstalled values(DLP_rules_installed) as "rules_installed" values(Tags) AS Tags by ID, FQDN
I need to append a row containing count(eval(DLP_installed=="yes")) as first row.
any ideas?
do you mean something like below?
.... | eventstats count(eval(DLP_installed=="yes")) as instlled_count ...
then use the new field as you see fit
Thanks for your answer!
but, with eventstats only the count fields appear as columns repeating the same information for every row.
I need them to appear as the upper row
yes ... just finish it off with your ... | stats ....