- Splunk Answers
- :
- Splunk Administration
- :
- Knowledge Management
- :
- Re: How to range columns and rows ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to range columns and rows ?
I have the following result from Splunk Query using appCols because same logs always has different events with different message
message1 or message2 just a name..
Message Count1 Message2 count2
hello 5 hi 10
Output i am looking is :
Message count --< Header Fields>
hello 5
hi 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of appendcols, you should use just append. Also, remember to rename the fields in 2nd search (Message2 and count2) same as first search.
search 1 | table Message Count
| append [search 2 | table Message2 Count2 | rename Message2 as Message Count2 as Count ]
See this to know difference between append and appendcols.
https://answers.splunk.com/answers/144351/what-are-the-differences-between-append-appendpipe.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it is same index. but i have to extract different fields each time from events.. since the events returns has different message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i using transport i didnt work ..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks it did work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad it's working for you. If it's same index, you probably don't need a subsearch. If you could share you search, we can look at it to see if both searches can be merged into one for better performance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is the Splunk Query..
index=index1 sourcetype=index1_log | rex field=_raw "(?exception\s\w+\s\w+)" |stats count by Message| table Message count | append
[search index=index2 sourcetype=index2_log | rex field=_raw "(?message\s\w+\s\w+)" |stats count as count1 by message| table message count1 |rename message as Message count1 as count] | rename count as "Hit Count"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
(index=index1 sourcetype=index1_log) OR (index=index2 sourcetype=index2_log)
| rex field=_raw "(?<Message>(exception|message)\s\w+\s\w+)"
|stats count as "Hit Count" by Message
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
let me tried it..thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When adding timechart span=3h count usenull=f useother=f into both indexes getting error :- please rename count columns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu're getting that in same query?
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
