Splunk Dev

Get total number of columns

vinod94
Contributor
  assigned 2018-02-06   2018-02-08  2018-02-13  2018-02-15  
     4            0          0              0          0
     9            0          0              0          0
    10            1          0              0          0
    11            1          0              0          0

where the above date values are present in a field called DATES. I have used chart command to get the above table.
I want to create a new column which should give me the total number of date columns.Here, I have 4 dates in my column so the output should look like this

    assigned 2018-02-06   2018-02-08    2018-02-13  2018-02-15  total_date_columns
     4            0          0              0          0               4
     9            0          0              0          0               4
    10            1          0              0          0               4
    11            1          0              0          0               4
Tags (1)
0 Karma
1 Solution

elliotproebstel
Champion

Assuming the date columns will always take that format, this should work:

your base search
| eval total_date_columns=0
| foreach 2018* 
 [ total_date_columns=total_date_columns+1 ]

View solution in original post

niketn
Legend

@vinod94, what is your existing chart command that you have used? It is possible that you can have the total_date_columns value calculated in the chart command itself. Also once you get the total_date_columns, what is the next thing you would want to do?

I would also use foreach command. But, here is a run anywhere search with Splunk's _internal index and transpose, addtotals and filldown commands. This is just to document an alternative approach:

index=_internal sourcetype=splunkd log_level!="INFO"
| eval Dates=strftime(_time,"%Y/%m/%d")
| chart count over Dates by component useother=f usenull=f
| eval total_date_columns=1
| transpose 0 header_field="Dates" column_name="Dates"
| addtotals row=t col=f fieldname="total_date_columns"
| eval total_date_columns=case(Dates=="total_date_columns",total_date_columns)
| reverse
| filldown total_date_columns
| search Dates!="total_date_columns"
| reverse
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel
Champion

Assuming the date columns will always take that format, this should work:

your base search
| eval total_date_columns=0
| foreach 2018* 
 [ total_date_columns=total_date_columns+1 ]

vinod94
Contributor

Thanks, it worked!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...