Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Enterprise
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- How do I customize search for table output?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-03-2023
11:58 AM
Search:
index=xxxx sourcetype=xxxxx home_feature!=connectapp application_name IN(artical, login, management, pageout)
|table Description application _time count
|sort Description _time home_feature application_name
streamstats current=f window=1 values( Description) as desp values(home_feature) as app values(_time) as totaltime values (count) as totalcount
|eval siml=if(home_feature == app AND Description == desp, count - totalcount,0)
|eval siml2=if(siml <0, Count, siml)
|where siml2 > 0
|eval time=strftime(now(), %d/%m/%YT%H:%M:%S)
|stats sum(value) by home_feature, application_name
Output:
| home_feature | application_name | sum(value) |
| ampt.gc.com | login | 298 |
| ampt.gc.com | pageout | 2341 |
| https:gtt.com | artical | 4567 |
| wcw.gft.com | management | 678 |
| app.df.com | login | 499 |
| rt.hj.com | pageout | 567 |
| tt.com | artical | 345 |
| ggt.com | management | 178 |
but i need the output as shown below:
| _time | home_feature | login | pageout | management | artical |
| 03/02/2023T14:05:15 | ampt.gc.com | 298 | 100 | 678 | 567 |
| 03/02/2023T12:05:15 | ampt.gc.com | 345 | 345 | 12341 | 789 |
| 03/02/2023T11:05:15 | https:gtt.com | 100 | 45678 | 9087 | 4567 |
| 03/02/2023T10:05:15 | wcw.gft.com | 456 | 567 | 678 | 789 |
| 03/02/2023T09:05:15 | app.df.com | 900 | 345 | 23499 | 3215 |
| 03/02/2023T08:05:15 | rt.hj.com | 789 | 125 | 567 | 678 |
| 03/02/2023T06:05:15 | tt.com | 12 | 34 | 345 | 45 |
| 03/02/2023T04:05:15 | ggt.com | 23 | 14 | 178 | 34 |
how to achieve this?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-03-2023
12:06 PM
index=xxxx sourcetype=xxxxx home_feature!=connectapp application_name IN(artical, login, management, pageout)
|table Description application _time count
|sort Description _time home_feature application_name
streamstats current=f window=1 values( Description) as desp values(home_feature) as app values(_time) as totaltime values (count) as totalcount
|eval siml=if(home_feature == app AND Description == desp, count - totalcount,0)
|eval siml2=if(siml <0, Count, siml)
|where siml2 > 0
|chart sum(value) by home_feature, application_name
|eval time=strftime(now(), %d/%m/%YT%H:%M:%S)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-03-2023
12:06 PM
index=xxxx sourcetype=xxxxx home_feature!=connectapp application_name IN(artical, login, management, pageout)
|table Description application _time count
|sort Description _time home_feature application_name
streamstats current=f window=1 values( Description) as desp values(home_feature) as app values(_time) as totaltime values (count) as totalcount
|eval siml=if(home_feature == app AND Description == desp, count - totalcount,0)
|eval siml2=if(siml <0, Count, siml)
|where siml2 > 0
|chart sum(value) by home_feature, application_name
|eval time=strftime(now(), %d/%m/%YT%H:%M:%S)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-05-2023
12:40 PM
Hi @ITWhisperer .
|chart sum(value) by home_feature, application_name
I tried the above query but i am getting the output as:
| home_feature | NULL |
| ampt.gc.com | 678 |
| https:gtt.com | 345 |
| ggt.com | 45678 |
| gct.com | 567 |
| gtt.com | 199 |
And also i tried the query
|chart sum(value) over home_feature by application_nameThis is also giving same results as shown above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
03-05-2023
03:14 PM
If stats by application_name is giving you login, pageout etc. I am not sure why chart by application_name is giving NULL.
Please can you share some sample events (anonymised of course) and the exact search that you used to get these results?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mahesh27
Communicator
03-06-2023
02:34 PM
@ITWhisperer , Now i am getting the expected results, the mistake i did is in chart i was mentioning as chart sum(value), but i should mention as chart sum(diff).
Thank you for your response, it helped me.
Get Updates on the Splunk Community!
Welcome to the Splunk Community!
(view in My Videos)
We're so glad you're here!
The Splunk Community is place to connect, learn, give back, and ...
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...
Adoption of RUM and APM at Splunk
Unleash the power of Splunk Observability
Watch Now
In this can't miss Tech Talk! The Splunk Growth ...
