how to Union 4 searches with 4 field name

splunkt0n · ‎03-14-2018

Hi,

Good day!

have this search:

| union 
    [| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
    | search field0="Success" 
    | stats count as field3 by field1,field2 
    | addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ] 
    [| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
    | search field0="Failed" 
    | stats count as field3 by field1,field2 
    | addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ] 
    [| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
    | search field0="Warning" 
    | stats count as field3 by field1,field2 
    | addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ]

and I want my result to look like this.

Hope you can help me and thanks in advance!

mayurr98 · ‎03-14-2018

can you try this

| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
| search field0="Success" 
| stats count as field3 by field1,field2 
| addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ] 
| append 
[| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
| search field0="Failed" 
| stats count as field3 by field1,field2 
| addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ] 
| append 
[| pivot latest(field0) AS field0 SPLITROW field4 AS field4 
| search field0="Warning" 
| stats count as field3 by field1,field2 
| addtotals row=f col=t labelfield="field2" label="Grand Total" field3 ]

how to Union 4 searches with 4 field name

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor