- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I write a search to display a table with th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
My data looks like:
I currently have this search:
source=myapp test123 | stats count by type
The results are:
type ........ count
1234 ........... 2
123 ........ .. 1
456 .......... 6
I just want to show the count result and another criteria from the logs in a table. Is it possible?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should look at all the functions that are available for the stats command and use what you need, You will probably need values, avg, last, min, and max. You just string them along like this:
source=myapp test123 | stats count avg(delay) last(status) values(color) by type
If you are gong to graph them, you should switch from stats to chart, which is a very similar command and it automatically advances populates the Visualization tab.
http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonStatsFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should look at all the functions that are available for the stats command and use what you need, You will probably need values, avg, last, min, and max. You just string them along like this:
source=myapp test123 | stats count avg(delay) last(status) values(color) by type
If you are gong to graph them, you should switch from stats to chart, which is a very similar command and it automatically advances populates the Visualization tab.
http://docs.splunk.com/Documentation/Splunk/6.2.4/SearchReference/CommonStatsFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it's defiantly possible.. Instead of doing a stats, you can just do a table command if you want to add more columns
source=myapp test123 | table type brand color
Or if you wanted it to calculate the type and add a table, you could do.. The eval command will create a new field and do the math (size/occurance). The result of the division will be the new field "type"
source=myapp test123 | eval type=(size/occurance) | table type brand color
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does your data look like? What is the "other criteria"?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my data looks like :
015-08-11 10:28:57.4149|process-name|ERROR|BusinessService.myapp.Create.LoggHandleError|Created myapp Failed Mname: myprime |ConsumerName: unknown | type : 4444|ERROR: ErrorCode: Invalidtype
Failed Mname: myprime |ConsumerName: unknown | type : 4444|ERROR: ErrorCode: Invalidtype
015-08-11 10:28:58.4259|process-name|ERROR|BusinessService.myapp.Create.LoggHandleError|Created myapp Failed Mname: myprime|ConsumerName: unknown | type : 5555|ERROR: ErrorCode: Invalidtype
015-08-11 10:28:58.4259|process-name|ERROR|BusinessService.myapp.Create.LoggHandleError|Created myapp Failed Mname: myprime2|ConsumerName: unknown | type : 6666|ERROR: ErrorCode: Invalidtype
i want to show in table :
Mname .............. count (of type)
myprime .............. 3
myprime 2 ............ 1
hope you understand
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
