Splunk Search

How to combine multiple panels into one table?

JoshuaJohn
Contributor

I have multiple single value number panels I want to combine into one table, I want my table to look somewhat like this:

alt text
I have these few searches as single panels that I want to put into the table, I also wanted to create a description spot for each of the single panels rows. I attempted to do this with Join then added an appendcols for the description but was unsuccessful any ideas?

|inputlookup blah.csv |search "Match on SCCM"=FALSE |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |table "SCCM Store" Store_Number Store_Desc "Match on SCCM" "Serial number" Mac_Address |stats count by "Match on SCCM" |stats sum(count)

|inputlookup blah.csv | search Status!="In use" |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "SCCM IP Address" as IP_Address| table Store_Number Mac_Address  "IP_Address" "Status" |dedup Mac_Address |dedup "Store_Number" |stats count by "Store_Number" |stats sum(count) as count

|inputlookup blah.csv |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "Windows OS Version" as Windows_Version | search Windows_Version!=10.* | sort "Store_Number" - 0|table Store_Number Mac_Address   "Windows_Version" |stats count by Windows_Version |stats sum(count) as count

Any ideas?

0 Karma

adonio
Ultra Champion

break this down:

|inputlookup blah.csv 

combine all the | rename to one using commas

|rename "Assets Store #" as Store_Number, "Assets Store Desc" as Store_Desc, mac as Mac_Address, "SCCM IP Address" as IP_Address, "Windows OS Version" as Windows_Version

search for the events we want:

|search Windows_Version!=10.* OR Status!="In use" OR "Match on SCCM"=FALSE

count by the fields we need:

|stats count by Windows_Version "Store_Number" "Match on SCCM"

you can add the | sum(count) or maybe | table count depends on how you would like the results presented

hope it helps

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...