Splunk Search

How to use the Format search command

lpolo
Motivator

How to use the "Format" search commands using the optinal arguments....

The documentation does not show how to use the optional arguments for this command.

searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| format

Result set:
( ( Query="3818" ) OR ( Number="9184" ) )

I would like to format this result set as follow:

query Number
3818 9184

Tags (1)

Lamar
Splunk Employee
Splunk Employee

Use transpose to do that.


searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| transpose

0 Karma

splunker12er
Motivator

Try like this :

index=* | stats values(sourcetype) as sourcetype by host | join [search index=* | stats values(source) as source by host]

0 Karma

lpolo
Motivator

Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think I was not clear in my previous post. I have two similar queries:

query 1:
sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1

query 2:
sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2

how can I get in one query both results set preseted in a table without using append or appendcols commands: example

Query 1 Query 2
125 254

thanks,
Lp

0 Karma

mw
Splunk Employee
Splunk Employee

It actually does explain the arguments, which are 6 separate strings:

Optional arguments

<string>
  Syntax: "<string>"
  Description: These six optional string arguments correspond to: ["<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"]. By default, when you don't specify any strings, the format output defaults to: "(" "(" "AND" ")" "OR" ")"

The format command is really used in the creation of a search, which is why it will join all rows and columns to create a valid search string. Is that what you're doing here, or are you just looking to get a string to output on a dashboard? If it's the latter, something like this would probably work better. I don't see any reason to use that append subsearch either:

searchsourcetype="tvs-a9-request" 
  | stats dc(TextQuery) as Query count(MAC) as Number 
  | strcat "Query Number " Query " " Number my_new_string 

lpolo
Motivator

Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think, I was not clear in my previous post. I have two similar queries:

query 1: sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1

query 2: sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2

How can I get in one query both results sets preseted in a table without using append or appendcols commands: example

Query 1 Query 2
125 254

thanks,
Lp

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...