Solved: Can you make append not start on a new line?

summitsplunk · ‎04-13-2018

LIke if I run this query:

index=myindex | stats count AS Total1 BY host | append [ search index=myindex | stats count AS Total2 BY source]

I want the statistics for Total2 to be on the same line as Total1, or am I just using the wrong command?

I just want to make two search queries of the same index to be able to compare them on the statistics tab.

elliotproebstel · ‎04-13-2018

It will always do that, but this will give you what you want:

index=myindex 
| stats count AS Total1 BY host 
| append 
 [ search index=myindex 
  | stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source

View solution in original post

summitsplunk · ‎04-14-2018

Thanks everyone. All were good ideas but they only let me accept one answer.

niketn · ‎04-14-2018

@summitsplunk, since you have already up-voted the remaining answers, you have done your part. Glad you could find the answers useful 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Kirantcs · ‎04-14-2018

Hi instead of append,try join

index=a
|stats count by host
|join type=left/inner host
[search index=b
|stats count by host]

niketn · ‎04-14-2018

@summitsplunk, depends on what is your use case and what is the required output.

index=_internal log_level=* sourcetype=*
| stats count AS Total1 BY log_level 
| append 
    [ search index=_internal 
    | stats count AS Total2 BY sourcetype] 
| fillnull value="-"  
| stats max(Total1) AS Total1 max(Total2) AS Total2 by log_level, sourcetype

Or

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level 
| rename log_level as Field
| append 
    [ search index=_internal 
    | stats count AS Total BY sourcetype
    | rename sourcetype as Field]

Or

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| eventstats sum(Total) as Total_log_level by log_level
| eventstats sum(Total) as Total_sourcetype by sourcetype

Or

index=_internal log_level=* sourcetype=*
| stats count AS Total BY log_level, sourcetype
| chart last(Total) as Total by log_level sourcetype
| fillnull value=0
| addtotals col=t row=t labelfield=log_level label=Total

See if one of them fits your needs.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel · ‎04-13-2018

It will always do that, but this will give you what you want:

index=myindex 
| stats count AS Total1 BY host 
| append 
 [ search index=myindex 
  | stats count AS Total2 BY source]
| stats max(Total1) AS Total1 max(Total2) AS Total2 by host, source

niketn · ‎04-14-2018

@elliotproebstel, you should have fillnull to ensure null fields are still accounted in the final stats | fillnull value="-"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

elliotproebstel · ‎04-14-2018

Nice correction, thanks!

Can you make append not start on a new line?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!