- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can you display results from 2 contrasting...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Afternoon!
Hope this isn't too basic of a question here, but I've been striking out on finding a similar search to use as an example.
I'm basically trying to parse 2 separate results out of the same log entry and display them in a single table.
Search 1:
host=ServerNumber1 sourcetype=log adventure NOT "Buck" | rename uniqueid as item1 | dedup item1 | table item1
Search 2:
host=ServerNumber1 sourcetype=log "Buck" | rename uniqueid as item2 | dedup item2 | table item2
I'm trying to figure out how to get item1 and item2 in to the same table in separate columns.
Any help would be appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you want the final display? Item1 & Item2 as different columns in your table. See if this gives you what your are looking for
host=ServerNumber1 sourcetype=log adventure NOT "Buck" | rename uniqueid as item1 | stats count by item1 | fields - count | appendcols [ host=ServerNumber1 sourcetype=log "Buck" | rename uniqueid as item2 | stats count by item2 | fields - count]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you want the final display? Item1 & Item2 as different columns in your table. See if this gives you what your are looking for
host=ServerNumber1 sourcetype=log adventure NOT "Buck" | rename uniqueid as item1 | stats count by item1 | fields - count | appendcols [ host=ServerNumber1 sourcetype=log "Buck" | rename uniqueid as item2 | stats count by item2 | fields - count]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What should I do if i want to reduce item2 from item1 and after that see the results as a table?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the response! Really appreciate it!
That got me what I needed...
For anyone else who happens apon this string, I had to make two changes to get it to work
1) had to add search after the appendcols [
2) had to move the | fields - count to OUTSIDE of the ].
So the final serach looked like:
host=ServerNumber1 sourcetype=log adventure NOT "Buck" | rename uniqueid as item1 | stats count by item1 | fields - count | appendcols [search host=ServerNumber1 sourcetype=log "Buck" | rename uniqueid as item2 | stats count by item2] | fields - count
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
