Splunk Search

How to search the results produced by the multireport command?

jlkokko
Path Finder

I have the following search:

index="main" |rename Proj_repo AS Project | multireport [ stats values(Project) AS Projects BY Author ][ stats values(Author) AS Team BY Project ] 

that provides a combined result set for which I need to search each Author against Team to get a combined set of Team values for the author (in other words, everyone the author has worked with).

I've tried various forms of foreach and map, but to no avail. I've additionally tried comma delimiting the Team values since it's a mutlivalue field.

Suggestions on how to search the results of the multireport? Thanks!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=main | stats count by Proj_repo Author |rename Proj_repo AS Project | eventstats values(Author) as Authors by Project | stats values(Authors) as Team by Author

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try

index=main | stats count by Proj_repo Author |rename Proj_repo AS Project | eventstats values(Author) as Authors by Project | stats values(Authors) as Team by Author

somesoni2
SplunkTrust
SplunkTrust

Give this a try as well (may be little faster)

index=main | stats values(Proj_repo) as Projects by Author | eventstats values(Author) as Team by Projects | stats values(Team) as Team by Author | eval MemberCount=mvcount(Team)
0 Karma

landen99
Motivator

Do you have a link to the documentation on multireport? I don't see it here: https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/WhatsInThisManual

0 Karma

gjanders
SplunkTrust
SplunkTrust

multireport is unlikely to be documented unfortunately, they are more likely to create a new search command...

0 Karma

jlkokko
Path Finder

Exactly what I needed. Can you explain the need for stats count? I'm not sure I understand its use in the equation.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The stats count was to remove the duplicate combination of Project and Author. You can use dedup command as well. I generally prefer to remove unwanted results as soon as possible, to avoid extra processing.

0 Karma

jlkokko
Path Finder

As the first count is not displayed, I simplified it a bit and added the counts on the end:

index=main | eventstats values(Author) as Authors by Proj_repo | stats values(Authors) as Team by Author | eval People = mvcount(Team)
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...