Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

stats for json data

email2vamsi
Explorer
‎10-15-2020 04:34 AM

Hello Experts,

 

search..
|search "json attribute"
|stats sum(latest("_attributes.xxx.total")) by servername
|append [search ...
|search "json attribute"
|stats sum(latest("_attributes.yyy.total")) by servername]

 

The above search returns rows in the following format:-
servername --- sum(latest("_attributes.xxx.total")) --  sum(latest("_attributes.yyy.total"))

But i want them to be displayed as follows:--
servername --- sum(latest("_attributes.Both_xxx_yyy.total")) 

Thank you.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2020 05:51 AM

You have two separate searches with their results appended so it should be no surprise that the display contains separate values.

Have you tried adding the two results together?

search..
|search "json attribute"
|stats sum(latest("_attributes.xxx.total")) as Total_xxx by servername
|append [search ...
|search "json attribute"
|stats sum(latest("_attributes.yyy.total")) as Total_yyy by servername]
|eval Total_xxx_yyy=Total_xxx + Total_yyy
|table servername Total_xxx_yyy
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

email2vamsi
Explorer
‎10-19-2020 12:21 AM

Thank you Mr.Rich.

This is my requirement.

base search..
|search "_attributes.xxx.total"
|stats dc(servername) by _attributes.xxx.total

base search..
|search "_attributes.yyy.total"
|stats dc(servername) by _attributes.yyy.total

From these two searches i want a cobination like the below with a wild card.
But it wouldn't work this way.Please suggest how to achieve it.
base search..
|search "_attributes.*.total"
|stats dc(servername) by _attributes.*.total

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 01:06 AM

It is not clear what your requirement is. What does |stats dc(servername) by _attributes.*.total mean? Distinct count of servername where _attributes.xxx.total and _attributes.yyy.total are combined into a single count, or do you want separate distinct counts for _attributes.xxx.total and _attributes.yyy.total?

For separate counts

base search..
|search "_attributes.xxx.total"
|stats dc(servername) as servers by _attributes.xxx.total
|rename _attributes.xxx.total as total
|append [
base search..
|search "_attributes.yyy.total"
|stats dc(servername) as servers by _attributes.yyy.total
|rename _attributes.yyy.total as total
]
|table total servers

 For total counts (although this will double count servers where xxx.total = yyy.total

base search..
|search "_attributes.xxx.total"
|stats dc(servername) as servers by _attributes.xxx.total
|rename _attributes.xxx.total as total
|append [
base search..
|search "_attributes.yyy.total"
|stats dc(servername) as servers by _attributes.yyy.total
|rename _attributes.yyy.total as total
]
|table sum(total) as total servers

For counts without double counting

base search..
|search "_attributes.xxx.total" OR "_attributes.yyy.total"
|eval total=if(isnull('_attributes.xxx.total'),'_attributes.yyy.total',mvappend('_attributes.xxx.total','_attributes.yyy.total'))
|mvexpand total
|stats dc(servername) as servers by total
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...