Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine multiple panels into one table?

JoshuaJohn
Contributor
‎04-24-2017 03:12 PM

I have multiple single value number panels I want to combine into one table, I want my table to look somewhat like this:

alt text
I have these few searches as single panels that I want to put into the table, I also wanted to create a description spot for each of the single panels rows. I attempted to do this with Join then added an appendcols for the description but was unsuccessful any ideas?

|inputlookup blah.csv |search "Match on SCCM"=FALSE |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |table "SCCM Store" Store_Number Store_Desc "Match on SCCM" "Serial number" Mac_Address |stats count by "Match on SCCM" |stats sum(count)

|inputlookup blah.csv | search Status!="In use" |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "SCCM IP Address" as IP_Address| table Store_Number Mac_Address  "IP_Address" "Status" |dedup Mac_Address |dedup "Store_Number" |stats count by "Store_Number" |stats sum(count) as count

|inputlookup blah.csv |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "Windows OS Version" as Windows_Version | search Windows_Version!=10.* | sort "Store_Number" - 0|table Store_Number Mac_Address   "Windows_Version" |stats count by Windows_Version |stats sum(count) as count

Any ideas?

Preview file
1 KB
0 Karma
Reply

adonio
Ultra Champion
‎04-24-2017 07:13 PM

break this down:

|inputlookup blah.csv

combine all the | rename to one using commas

|rename "Assets Store #" as Store_Number, "Assets Store Desc" as Store_Desc, mac as Mac_Address, "SCCM IP Address" as IP_Address, "Windows OS Version" as Windows_Version

search for the events we want:

|search Windows_Version!=10.* OR Status!="In use" OR "Match on SCCM"=FALSE

count by the fields we need:

|stats count by Windows_Version "Store_Number" "Match on SCCM"

you can add the | sum(count) or maybe | table count depends on how you would like the results presented

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...