Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to combine multiple panels into one table?

JoshuaJohn
Contributor
‎04-24-2017 03:12 PM

I have multiple single value number panels I want to combine into one table, I want my table to look somewhat like this:

alt text
I have these few searches as single panels that I want to put into the table, I also wanted to create a description spot for each of the single panels rows. I attempted to do this with Join then added an appendcols for the description but was unsuccessful any ideas?

|inputlookup blah.csv |search "Match on SCCM"=FALSE |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |table "SCCM Store" Store_Number Store_Desc "Match on SCCM" "Serial number" Mac_Address |stats count by "Match on SCCM" |stats sum(count)

|inputlookup blah.csv | search Status!="In use" |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "SCCM IP Address" as IP_Address| table Store_Number Mac_Address  "IP_Address" "Status" |dedup Mac_Address |dedup "Store_Number" |stats count by "Store_Number" |stats sum(count) as count

|inputlookup blah.csv |rename "Assets Store #" as Store_Number|rename "Assets Store Desc" as Store_Desc|rename mac as Mac_Address |rename "Windows OS Version" as Windows_Version | search Windows_Version!=10.* | sort "Store_Number" - 0|table Store_Number Mac_Address   "Windows_Version" |stats count by Windows_Version |stats sum(count) as count

Any ideas?

Preview file
1 KB
0 Karma
Reply

adonio
Ultra Champion
‎04-24-2017 07:13 PM

break this down:

|inputlookup blah.csv

combine all the | rename to one using commas

|rename "Assets Store #" as Store_Number, "Assets Store Desc" as Store_Desc, mac as Mac_Address, "SCCM IP Address" as IP_Address, "Windows OS Version" as Windows_Version

search for the events we want:

|search Windows_Version!=10.* OR Status!="In use" OR "Match on SCCM"=FALSE

count by the fields we need:

|stats count by Windows_Version "Store_Number" "Match on SCCM"

you can add the | sum(count) or maybe | table count depends on how you would like the results presented

hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...