- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Append or Join related in Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi - I'm trying to read two different elements within each search record and them show their count so its like
Record 1 - key1, key 2 Record 2 - key1, key 3
Record 3 - key1, key3, key2
The result i'm trying to get is
Key 1 - count of 3
Key 2 - count of 2
key 3 - count of 2
So when i search first i get the raw, look for key 1 and do a stat with count for key 1, then i append a new search query look for key 2 and then do a stat with count for key 2 etc..
The problem is when i append it does not just add the new values as rows but it adds it as columns which is weird, so output is like
key 1 - 3 key2 - 2 key3- 3
I want them vertically one below another and not in this horizontal way...
Pls advise..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try ... | stats count(eval(key1="foo")) as key1 count(eval(key2="bar")) as key2
There are a couple other options depending on what "key" is though which seems to be the issue. An over the top way could be
... | stats count by key1 | append [search .... | stats count by key2]
But that generally isn't needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try ... | stats count(eval(key1="foo")) as key1 count(eval(key2="bar")) as key2
There are a couple other options depending on what "key" is though which seems to be the issue. An over the top way could be
... | stats count by key1 | append [search .... | stats count by key2]
But that generally isn't needed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As suggested by Runals, to append results of queries one below another use append
... | stats count by key1 | append [search .... | stats count by key2]
Note - appendcols will append as columns
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Runals , it worked, I was trying appendcols instead of append so it was appending as columns. With append - it's adding all the rows one below another.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post so more concrete examples? I'm trying to understand why a ... | stats count by key isn't working. Not knowing what "key" is or what sort of field extraction you've setup you could try something like
sourcetype=foo | rex max_match=0 "(?<key>key\d+)" | stats count as events by key | stats count by events
but I'm not sure what that would output relative to your data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Runals - let me put my ques in a diff way - how can i append two stat results one below another ?
for e.g. stats count(key1) by key1 | stats count(key2) by key2
where key1 = some eval expression
and key2 = some eval expression
Thanks
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
