Splunk Search

multiple search output in a single table/list/something

smolcj
Builder

hi all,
i am doing an splunk app to reduce the complexity in reading a log file. I am done with the field extractions. Now if i want to display the results of several searches in a single list or table, what shall i do? As because all these informations ae scattered in the file, t will help ohers if it is co-ordinated so,
User:username
Permission:admin
Foldername:foldername1
Servicetype:blabla
is there any way to display result extracted in different searches in a single table or list
Now i am using the search query as

index=main source=sourcename.txt|top user | table user
index=main source=sourcename.txt|top Permission | table Permission

So i am getting a number of tables, how can i make the reult view much more better..
please help
thanks for your time

Tags (1)
1 Solution

bmacias84
Champion

I think you want to use appendcols.


index=main source=sourcename.txt|top user | table user| appendcols [
index=main source=sourcename.txt|top Permission | table Permission ]

if your two results are coming from different sources then you might want to use join if you have a common field.

index=main source=sourcename.txt|top user | fields user| join user [
index=test source=sourcename2.txt|top Permission | fields user, Permission ]

Hope this helps or gets you started. Cheers.

View solution in original post

bmacias84
Champion

I think you want to use appendcols.


index=main source=sourcename.txt|top user | table user| appendcols [
index=main source=sourcename.txt|top Permission | table Permission ]

if your two results are coming from different sources then you might want to use join if you have a common field.

index=main source=sourcename.txt|top user | fields user| join user [
index=test source=sourcename2.txt|top Permission | fields user, Permission ]

Hope this helps or gets you started. Cheers.

smolcj
Builder

Thank you bmacias84 ... it worked well

0 Karma

bmacias84
Champion

If the user and permission fields are in the same event I would go with @sdaniels.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

If you want the to have user and permission in the same table just use one of the following:

<your search> | top user by Permission 
<your search> | top user, Permission

You could then add | head 10 or whatever to choose the first 10 etc. based on how many records you want to see in your dashboard view.

smolcj
Builder

in dashboard also it is dispalying in different panels, how to do it in a single table.. i tried using table properties like table border='0' so that it looks as a single table. but it is not happening

0 Karma

lguinn2
Legend

Why not use a dashboard?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...