- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: multiple search output in a single table/list/...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi all,
i am doing an splunk app to reduce the complexity in reading a log file. I am done with the field extractions. Now if i want to display the results of several searches in a single list or table, what shall i do? As because all these informations ae scattered in the file, t will help ohers if it is co-ordinated so,
User:username
Permission:admin
Foldername:foldername1
Servicetype:blabla
is there any way to display result extracted in different searches in a single table or list
Now i am using the search query as
index=main source=sourcename.txt|top user | table user
index=main source=sourcename.txt|top Permission | table Permission
So i am getting a number of tables, how can i make the reult view much more better..
please help
thanks for your time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you want to use appendcols.
index=main source=sourcename.txt|top user | table user| appendcols [
index=main source=sourcename.txt|top Permission | table Permission ]
if your two results are coming from different sources then you might want to use join if you have a common field.
index=main source=sourcename.txt|top user | fields user| join user [
index=test source=sourcename2.txt|top Permission | fields user, Permission ]
Hope this helps or gets you started. Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you want to use appendcols.
index=main source=sourcename.txt|top user | table user| appendcols [
index=main source=sourcename.txt|top Permission | table Permission ]
if your two results are coming from different sources then you might want to use join if you have a common field.
index=main source=sourcename.txt|top user | fields user| join user [
index=test source=sourcename2.txt|top Permission | fields user, Permission ]
Hope this helps or gets you started. Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you bmacias84 ... it worked well
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the user and permission fields are in the same event I would go with @sdaniels.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want the to have user and permission in the same table just use one of the following:
<your search> | top user by Permission
<your search> | top user, Permission
You could then add | head 10 or whatever to choose the first 10 etc. based on how many records you want to see in your dashboard view.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
in dashboard also it is dispalying in different panels, how to do it in a single table.. i tried using table properties like table border='0' so that it looks as a single table. but it is not happening
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not use a dashboard?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
