Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Appending/Adding count of results in the column header

pushpender07
Explorer
‎08-08-2017 11:22 AM

alt textHi All,

I have a search - index=ABC sourcetype=XYZ | stats values(user), dc(user) by region | transpose header_field=region | fields – column which produces the following result:

Region1      Region2          Region3
ABC             XYZ           MNO
PQR             STU           BCD
MKL     
3              2                2

I want the count of distinct users to be appended to the column name in the table. Final result should look like the table below. Is this possible in Splunk? 

Region1(3)  Region2(2)  Region3(2)
ABC        XYZ         MNO
PQR        STU         BCD
MKL

Added a picture of the table to make it clear

Preview file
12 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-08-2017 11:33 AM

Try this...

index=ABC sourcetype=XYZ 
| stats values(user) as user, dc(user) as usercount by region 
| eval region = region." (".usercount.")"
| fields - usercount
| transpose header_field=region 
| fields – column

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎08-08-2017 11:39 AM

@pushpender07, try the following:

index=ABC sourcetype=XYZ 
| stats values(user) as user dc(user) as dc_user by region 
| eval region=region."(".dc_user.")"
| transpose header_field=region 
| search column=user
| fields – column
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

pushpender07
Explorer
‎08-08-2017 11:50 AM

this one does not work, it just displays one row with user text in it. Response from @DalJeanis works perfectly

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-08-2017 07:11 PM

I have updated, it should have been values(user) and not last(user)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

pushpender07
Explorer
‎08-09-2017 09:23 AM

still does not work, what is the use of search column = user? It shows the same response with one row and "user" as text in it

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎08-09-2017 06:36 PM

| search column=user gets rid of column dc_user (count of distinct users) after transpose, since count is already appended to table header region. You can remove pipes 4, 5 and 6 and then put them back in the query one by one to understand what they are doing.

If results are not the way you expect, maybe I missed something you want. As far as there is another answer solving your problem you should be good!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎08-08-2017 11:33 AM

Try this...

index=ABC sourcetype=XYZ 
| stats values(user) as user, dc(user) as usercount by region 
| eval region = region." (".usercount.")"
| fields - usercount
| transpose header_field=region 
| fields – column
Reply
Solved! Jump to solution

niketn
Legend
‎08-08-2017 11:40 AM

@DalJeanis...You beat me to it 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-08-2017 12:06 PM

I was snoozing but we all 3 commented before @someshoni2!

Reply
Solved! Jump to solution

DalJeanis
Legend
‎08-08-2017 12:13 PM

@woodcock - you must have sneezed while typing @somesoni2.

... and it took all my self-control not to type "woodstock"...

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-08-2017 12:18 PM

I answer to everything.

0 Karma
Reply
Solved! Jump to solution

pushpender07
Explorer
‎08-08-2017 11:48 AM

Perfect, thanks it works

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...