Solved: How to append search as new row?

jaj · ‎02-18-2014

Given the following query, how can I append the second query so that the results show up as two rows so I can graph the results (in a pie chart).

// This query appends a new search as an additional col but what I really want i a new row.
source=*/blah/the.log "labelData= " | stats count as NOMATCHES | appendcols [search source=*/blah/the.log labelData!="" | stats count as MATCHES ]

yannK · ‎02-18-2014

try the append instead of appendcols

View solution in original post

yannK · ‎02-18-2014

try the append instead of appendcols

jaj · ‎02-18-2014

single query is exactly what I was looking for...I just what i was looking for...the labelData= was messing my query up as I couldn't query it by null or by labelData="". This worked awesome! Thanks!

yannK · ‎02-18-2014

but you could also do all in a single search with an eval or a case and define your own field.

example

source=*/blah/the.log "labelData= " OR labelData!="" | eval label=if(isnull(labelData),"nomatch","match") | stats count by label

somesoni2 · ‎02-18-2014

just use "append" instead of "appendcols"

How to append search as new row?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!