Solved: How to add a new column in my chart with a new eve...

guillecasco · ‎05-16-2016

I have a search like this:

search| stats count by errortype

which is quite simple and returns:

errortype   count
1600         45
1234         60

Now I want to add in same chart a new column using the dedup command (that I already have and works), but filters a new result with less logs count. I would like to have something like:

errortype count newcount

How can I do it?

sundareshr · ‎05-16-2016

You could either do a | stats count dc(field) as distinct by errortype or use appendcols like this

.. | stats count by errortype | appendcols [ search ... | dedup field | stats count as distinct by errortype  ]

View solution in original post

sundareshr · ‎05-16-2016

You could either do a | stats count dc(field) as distinct by errortype or use appendcols like this

.. | stats count by errortype | appendcols [ search ... | dedup field | stats count as distinct by errortype  ]

guillecasco · ‎05-17-2016

thanks budy, appendcols worked perfectly

ppablo · ‎05-17-2016

@guillecasco Glad you found your answer through @sundareshr !

Since it has a working solution, don't forget to resolve the question by clicking "Accept" directly below sundareshr's post.

How to add a new column in my chart with a new event count after using the dedup command?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk