Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

results into a single row table

fresned
Path Finder
‎08-16-2012 01:30 PM

Hi,

I have three search results giving me three different set of results, there are values from each search. I have not been able to find a way to get the results into a single row table.

I need merge all these result into a single row in a single table.

The structure of the search I have used is given below.

[ search 1 ]

[ search 2 ]

[ search 3 ]

the resulting table should look like

 up             failed                  success            down

results search1 results search2 results search2 results search3

Appreciate any help!

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎08-16-2012 04:45 PM

Seeing the example searches and data would be useful indeed. Without them, though, we can still do some handwaving toward an answer. This may not be correct, depending on your exact searches, but it should get you in the ballpark.

Let's start by putting all three of your searches together. This is far from the most efficient way, but it's what works with all I have to go on:

search1 | append [ search search2 ] | append [ search search3]

The append search command will run each of these three searches and append their results together. The additional word search in the subsearches for search2/search3 is required as part of the subsearch.

Now, I'll make an assumption that "search1" returns an extracted field named "up", "search2" returns extracted fields named "failed" and "success", and "search3" returns an extracted field named "down". I'll also assume that the field names "up", "failed", "success", and "down" are unique and exclusive to their respective searches. (That is, "search1" does NOT have an extracted field named "failed", "success", or "down" ... and so on)

Given the above assumptions, we know that the stats operation max() should only find a single value to be "the" maximum for a given field. So, we can use stats to collapse this into a single table row:

... (above search) ... 
| stats max(up) as up, max(failed) as failed, max(success) as success, max(down) as down

Giving you a single table row for results from all three searches ...

Reply

tfletcher_splun
Splunk Employee
Splunk Employee
‎08-16-2012 02:21 PM

Can you post the searches?

Reply
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...