How to use the "Format" search commands using the optinal arguments....
The documentation does not show how to use the optional arguments for this command.
searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| format
Result set:
( ( Query="3818" ) OR ( Number="9184" ) )
I would like to format this result set as follow:
query Number
3818 9184
Use transpose to do that.
searchsourcetype="tvs-a9-request" |stats dc(TextQuery) as Query|append [search sourcetype="tvs-a9-request" |stats count(MAC) as Number]| transpose
Try like this :
index=* | stats values(sourcetype) as sourcetype by host | join [search index=* | stats values(source) as source by host]
Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think I was not clear in my previous post. I have two similar queries:
query 1:
sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1
query 2:
sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2
how can I get in one query both results set preseted in a table without using append or appendcols commands: example
Query 1 Query 2
125 254
thanks,
Lp
It actually does explain the arguments, which are 6 separate strings:
Optional arguments
<string>
Syntax: "<string>"
Description: These six optional string arguments correspond to: ["<row prefix>" "<column prefix>" "<column separator>" "<column end>" "<row separator>" "<row end>"]. By default, when you don't specify any strings, the format output defaults to: "(" "(" "AND" ")" "OR" ")"
The format command is really used in the creation of a search, which is why it will join all rows and columns to create a valid search string. Is that what you're doing here, or are you just looking to get a string to output on a dashboard? If it's the latter, something like this would probably work better. I don't see any reason to use that append subsearch either:
searchsourcetype="tvs-a9-request"
| stats dc(TextQuery) as Query count(MAC) as Number
| strcat "Query Number " Query " " Number my_new_string
Thanks for your reply. In this case, your query is great we do not need append or appendcols commands. I think, I was not clear in my previous post. I have two similar queries:
query 1: sourcetype="tvs-a9-request" NOT forward |stats dc(TextQuery) as Query1
query 2: sourcetype="tvs-a9-request" AND forward |stats dc(TextQuery) as Query2
How can I get in one query both results sets preseted in a table without using append or appendcols commands: example
Query 1 Query 2
125 254
thanks,
Lp