Splunk Search

,Stats count result naming

TCK101
New Member

I have a number of saved searches - and I am appending all the counts to form a total which works fine

|savedsearch "Service 1" | stats count
| append [savedsearch "Service 2" | stats count]

| append [savedsearch "Service 3" | stats count]

|stats sum(count)

Basically I would now like to have a time chart of this and bar contain the weekly total each of the saved searches and have the counts for each saved search as service 1 , service 2, service 3

|savedsearch "Service 1" | stats count
| append [savedsearch "Service 2" | stats count]

| append [savedsearch "Service 3" | stats count]

|timechart span=1w count by ???

would I need to eval each saved search?

Tags (1)
0 Karma

TCK101
New Member

Thanks

how would I be able to split each of the Service1 service 2 and service 3 as their OWN line / bar in the timechart result?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

|savedsearch "Service 1" | timechart span=1w count as Service1
| append [| savedsearch "Service 2" | timechart span=1w count as Service2 ] 
| append [| savedsearch "Service 3" | timechart span=1w count as Service3] 
| timechart span=1w sum(*) as * 

Please note that for timechart command to work, you need _time field so ensure that your savedsearch results contain _time field.

micahkemp
Champion

It's important to note that in @somesonie2's response he used timechart instead of stats in the append search. The search posted in the original question used stats, which would definitely drop _time from the results, preventing you from using timechart further down the search.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @TCK101,

Can you please try this?

|savedsearch "Service 1" | eval mysavedsearch="Service 1"
| append [savedsearch "Service 2" | eval mysavedsearch="Service 2" ] 
| append [savedsearch "Service 3" | eval mysavedsearch="Service 3"] 
|timechart span=1w count by mysavedsearch
0 Karma

TCK101
New Member

This does not work.

Note I have 3 saved searches .

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...