Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

run new search based on row-value and get the results in a new column

gpincheiraa
Engager
‎05-02-2017 11:45 AM

I have the following table of results

|trkid | values |
|123 | a |
|124 | b |
|125 | d |

But i need based on the trkid row-value, run a new search and show the results in a new column and get the following

|trkid | values | new_col |
|123 | a | 1 | ----> this value is the result of using the trkid value in another search. Example: [search trkid=123 | stats count as new_col]
|124 | b | 1 | ----> this value is the result of using the trkid value in another search. Example: [search trkid=124 | stats count as new_col]
|125 | d | 3 |----> this value is the result of using the trkid value in another search. Example: [search trkid=125 | stats count as new_col]

It is possible?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎05-02-2017 12:42 PM

you're wanting to add a new column to the end of your existing results based on the results you already have?

i would try to first just go with:

basesearch...|eventstats count by trkid

but you can also use appendpipe if you're trying to limit which trkid value to count:

basesearch...|appendpipe [search trkid=125 | stats count as new_col]

View solution in original post

Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎05-02-2017 02:03 PM

Try like this

index=foo [search index=foo...your current search giving results with field trkid and values | stats count by trkid | table trkid] | stats count as new_col by trkid
| append [search index=foo...your current search giving results with field trkid and values ]
| stats values(values) as values(new_col) as new_col by trkid

Can provide better representation if we have your current full query (and other query that you want to run based on trkid).

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎05-02-2017 12:42 PM

you're wanting to add a new column to the end of your existing results based on the results you already have?

i would try to first just go with:

basesearch...|eventstats count by trkid

but you can also use appendpipe if you're trying to limit which trkid value to count:

basesearch...|appendpipe [search trkid=125 | stats count as new_col]
Reply
Solved! Jump to solution

DalJeanis
SplunkTrust
SplunkTrust
‎05-02-2017 02:06 PM

And, if you want to add the results of different searches to your results, then there are more options.

Append - 

(your existing search) 
| table trkid myvalues
| append [index=foo your new search | stats count as new_col by trkid]
| stats values(*) as * by trkid
| table trkid myvalues new_col

Join -

(your existing search) 
| table trkid myvalues
| join type=left trkid [index=foo your new search | stats count as new_col by trkid]
| fillnull value=0 new_col
| table trkid myvalues new_col

Map - 

(your existing search) 
| table trkid myvalues
| map search="search index=foo trkid2=$trkid$ | your calculations | eval myvalues=\"$myvalues$\""
| table trkid myvalues new_col

MANY more options...

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...