how to Union 4 searches with 4 field name

splunkt0n · ‎03-14-2018

Hi,

Good day!

have this search:

| union 
    [| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
    | search field0="Success" 
    | stats count as field3 by field1,field2 
    | addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ] 
    [| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
    | search field0="Failed" 
    | stats count as field3 by field1,field2 
    | addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ] 
    [| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
    | search field0="Warning" 
    | stats count as field3 by field1,field2 
    | addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ]

and I want my result to look like this.

Hope you can help me and thanks in advance!

mayurr98 · ‎03-14-2018

can you try this

| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
| search field0="Success" 
| stats count as field3 by field1,field2 
| addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ] 
| append 
[| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
| search field0="Failed" 
| stats count as field3 by field1,field2 
| addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ] 
| append 
[| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
| search field0="Warning" 
| stats count as field3 by field1,field2 
| addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ]

how to Union 4 searches with 4 field name

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!