Re: How to range columns and rows ?

jw44250 · ‎04-10-2017

I have the following result from Splunk Query using appCols because same logs always has different events with different message

message1 or message2 just a name..

Message Count1 Message2 count2
hello 5 hi 10

Output i am looking is :
Message count --< Header Fields>
hello 5

hi 10

somesoni2 · ‎04-10-2017

Instead of appendcols, you should use just append. Also, remember to rename the fields in 2nd search (Message2 and count2) same as first search.

search 1 | table Message Count
| append [search 2 | table Message2 Count2 | rename Message2 as Message Count2 as Count ]

See this to know difference between append and appendcols.
https://answers.splunk.com/answers/144351/what-are-the-differences-between-append-appendpipe.html

jw44250 · ‎04-10-2017

it is same index. but i have to extract different fields each time from events.. since the events returns has different message

jw44250 · ‎04-10-2017

i using transport i didnt work ..

jw44250 · ‎04-10-2017

Thanks it did work.

somesoni2 · ‎04-10-2017

Glad it's working for you. If it's same index, you probably don't need a subsearch. If you could share you search, we can look at it to see if both searches can be merged into one for better performance.

jw44250 · ‎04-10-2017

Here is the Splunk Query..

somesoni2 · ‎04-11-2017

Give this a try

(index=index1 sourcetype=index1_log) OR (index=index2 sourcetype=index2_log) 
| rex field=_raw "(?<Message>(exception|message)\s\w+\s\w+)" 
|stats count as "Hit Count" by Message

jw44250 · ‎04-11-2017

let me tried it..thanks

jw44250 · ‎04-11-2017

When adding timechart span=3h count usenull=f useother=f into both indexes getting error :- please rename count columns.

somesoni2 · ‎04-11-2017

YOu're getting that in same query?

How to range columns and rows ?

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?