Re: stats for json data

email2vamsi · ‎10-15-2020

Hello Experts,

search..
|search "json attribute"
|stats sum(latest("_attributes.xxx.total")) by servername
|append [search ...
|search "json attribute"
|stats sum(latest("_attributes.yyy.total")) by servername]

The above search returns rows in the following format:-
servername --- sum(latest("_attributes.xxx.total")) -- sum(latest("_attributes.yyy.total"))

But i want them to be displayed as follows:--
servername --- sum(latest("_attributes.Both_xxx_yyy.total"))

Thank you.

richgalloway · ‎10-15-2020

You have two separate searches with their results appended so it should be no surprise that the display contains separate values.

Have you tried adding the two results together?

search..
|search "json attribute"
|stats sum(latest("_attributes.xxx.total")) as Total_xxx by servername
|append [search ...
|search "json attribute"
|stats sum(latest("_attributes.yyy.total")) as Total_yyy by servername]
|eval Total_xxx_yyy=Total_xxx + Total_yyy
|table servername Total_xxx_yyy

---
If this reply helps you, Karma would be appreciated.

email2vamsi · ‎10-19-2020

Thank you Mr.Rich.

This is my requirement.

base search..
|search "_attributes.xxx.total"
|stats dc(servername) by _attributes.xxx.total

base search..
|search "_attributes.yyy.total"
|stats dc(servername) by _attributes.yyy.total

From these two searches i want a cobination like the below with a wild card.
But it wouldn't work this way.Please suggest how to achieve it.
base search..
|search "_attributes.*.total"
|stats dc(servername) by _attributes.*.total

ITWhisperer · ‎10-19-2020

It is not clear what your requirement is. What does |stats dc(servername) by _attributes.*.total mean? Distinct count of servername where _attributes.xxx.total and _attributes.yyy.total are combined into a single count, or do you want separate distinct counts for _attributes.xxx.total and _attributes.yyy.total?

For separate counts

base search..
|search "_attributes.xxx.total"
|stats dc(servername) as servers by _attributes.xxx.total
|rename _attributes.xxx.total as total
|append [
base search..
|search "_attributes.yyy.total"
|stats dc(servername) as servers by _attributes.yyy.total
|rename _attributes.yyy.total as total
]
|table total servers

For total counts (although this will double count servers where xxx.total = yyy.total

base search..
|search "_attributes.xxx.total"
|stats dc(servername) as servers by _attributes.xxx.total
|rename _attributes.xxx.total as total
|append [
base search..
|search "_attributes.yyy.total"
|stats dc(servername) as servers by _attributes.yyy.total
|rename _attributes.yyy.total as total
]
|table sum(total) as total servers

For counts without double counting

base search..
|search "_attributes.xxx.total" OR "_attributes.yyy.total"
|eval total=if(isnull('_attributes.xxx.total'),'_attributes.yyy.total',mvappend('_attributes.xxx.total','_attributes.yyy.total'))
|mvexpand total
|stats dc(servername) as servers by total

stats for json data

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation