Splunk Enterprise

How do I customize search for table output?

mahesh27
Communicator

Search:

index=xxxx sourcetype=xxxxx  home_feature!=connectapp  application_name IN(artical, login,  management, pageout) 
|table Description application _time  count
|sort Description _time  home_feature application_name
streamstats current=f window=1 values( Description) as desp   values(home_feature) as app values(_time) as totaltime  values (count) as totalcount
|eval siml=if(home_feature == app AND Description == desp, count - totalcount,0)
|eval siml2=if(siml <0, Count, siml)
|where siml2 > 0
|eval time=strftime(now(), %d/%m/%YT%H:%M:%S)
|stats sum(value) by home_feature, application_name



Output:

home_feature application_name sum(value)
ampt.gc.com login 298
ampt.gc.com pageout 2341
https:gtt.com artical 4567
wcw.gft.com management 678
app.df.com login 499
rt.hj.com pageout 567
tt.com artical 345
ggt.com management 178

 

but i need the output as shown below:

_time home_feature login pageout management artical
03/02/2023T14:05:15 ampt.gc.com 298 100 678 567
03/02/2023T12:05:15  ampt.gc.com 345 345 12341 789
03/02/2023T11:05:15  https:gtt.com 100 45678 9087 4567
03/02/2023T10:05:15  wcw.gft.com 456 567 678 789
03/02/2023T09:05:15  app.df.com 900 345 23499 3215
03/02/2023T08:05:15  rt.hj.com 789 125 567 678
03/02/2023T06:05:15  tt.com 12 34 345 45
03/02/2023T04:05:15   ggt.com 23 14 178 34

 

how to achieve this?

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index=xxxx sourcetype=xxxxx  home_feature!=connectapp  application_name IN(artical, login,  management, pageout) 
|table Description application _time  count
|sort Description _time  home_feature application_name
streamstats current=f window=1 values( Description) as desp   values(home_feature) as app values(_time) as totaltime  values (count) as totalcount
|eval siml=if(home_feature == app AND Description == desp, count - totalcount,0)
|eval siml2=if(siml <0, Count, siml)
|where siml2 > 0

|chart sum(value) by home_feature, application_name

|eval time=strftime(now(), %d/%m/%YT%H:%M:%S)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
index=xxxx sourcetype=xxxxx  home_feature!=connectapp  application_name IN(artical, login,  management, pageout) 
|table Description application _time  count
|sort Description _time  home_feature application_name
streamstats current=f window=1 values( Description) as desp   values(home_feature) as app values(_time) as totaltime  values (count) as totalcount
|eval siml=if(home_feature == app AND Description == desp, count - totalcount,0)
|eval siml2=if(siml <0, Count, siml)
|where siml2 > 0

|chart sum(value) by home_feature, application_name

|eval time=strftime(now(), %d/%m/%YT%H:%M:%S)

mahesh27
Communicator

Hi @ITWhisperer .

 

|chart sum(value) by home_feature, application_name

 

I tried the above query but i am getting the output as:

home_featureNULL
ampt.gc.com678
https:gtt.com345
ggt.com45678
gct.com 567
gtt.com199

 

And also i tried the query 

|chart sum(value) over home_feature by application_name

This is also giving same results as shown above. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If stats by application_name is giving you login, pageout etc. I am not sure why chart by application_name is giving NULL.

Please can you share some sample events (anonymised of course) and the exact search that you used to get these results?

0 Karma

mahesh27
Communicator

@ITWhisperer , Now i am getting the expected results, the mistake  i did is in chart i was mentioning  as chart sum(value), but i should mention as chart sum(diff).
Thank you for your response, it helped me.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...