Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

results into a single row table

fresned
Path Finder
‎08-16-2012 01:30 PM

Hi,

I have three search results giving me three different set of results, there are values from each search. I have not been able to find a way to get the results into a single row table.

I need merge all these result into a single row in a single table.

The structure of the search I have used is given below.

[ search 1 ]

[ search 2 ]

[ search 3 ]

the resulting table should look like

 up             failed                  success            down

results search1 results search2 results search2 results search3

Appreciate any help!

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎08-16-2012 04:45 PM

Seeing the example searches and data would be useful indeed. Without them, though, we can still do some handwaving toward an answer. This may not be correct, depending on your exact searches, but it should get you in the ballpark.

Let's start by putting all three of your searches together. This is far from the most efficient way, but it's what works with all I have to go on:

search1 | append [ search search2 ] | append [ search search3]

The append search command will run each of these three searches and append their results together. The additional word search in the subsearches for search2/search3 is required as part of the subsearch.

Now, I'll make an assumption that "search1" returns an extracted field named "up", "search2" returns extracted fields named "failed" and "success", and "search3" returns an extracted field named "down". I'll also assume that the field names "up", "failed", "success", and "down" are unique and exclusive to their respective searches. (That is, "search1" does NOT have an extracted field named "failed", "success", or "down" ... and so on)

Given the above assumptions, we know that the stats operation max() should only find a single value to be "the" maximum for a given field. So, we can use stats to collapse this into a single table row:

... (above search) ... 
| stats max(up) as up, max(failed) as failed, max(success) as success, max(down) as down

Giving you a single table row for results from all three searches ...

Reply

tfletcher_splun
Splunk Employee
Splunk Employee
‎08-16-2012 02:21 PM

Can you post the searches?

Reply
Get Updates on the Splunk Community!

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...