- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- SPLUNK Query to combine two coloums as per the sea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SPLUNK Query to combine two coloums as per the search string
Am using two Queries using appendcols to get the data . Sample data is as follows
Classification | Name | Basket1 |Basket2 | Basket1+2
Fruit | Mango | aa |xx |aaxx
Fruit | Apple |bb |yy |bbyy
Fruit | Banana |cc |zz | cczz
Fruit | Pineapple |dd |uu |dduu
In basket 1 sequence of fruits is Mango, Apple, Bananna, Pineapple whereas the sequence of Basket2 is Bananna( zz),Mango(uu), Apple(yy),pineapple(xx)
As per my requirement the result will be like below
Classification |Name| Basket1 | Basket2 | Basket1+2
Fruit |Mango|aa |uu |aauu
Fruit | Apple |bb|yy| bbyy
Fruit|Banana |cc |zz |cczz
Fruit|Pineapple| dd| xx|ddxx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So please help me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype="st-offline-orders" NonContinuableError earliest=-48h@h latest=-24h@h |rex field=_raw "NonContinuableError:(?<NCE>.?)|DN" |search NCE NOT (:CON-* OR :CUST OR loginError) | eval Hour=strftime(_time, "%H") | chart count over NCE by Day | addtotals | sort 0 -Total |lookup local=true "FileName" NON_CONTINUABLE_ERROR as NCE OUTPUT CLASSIFICATION as Classification | where Classification="FRUIT" |table Classification NCE Total * | addcoltotals | rename "Total" as "Basket1" |appendcols [search sourcetype="st-online-orders" earliest=-48h@h latest=-24h@h NonContinuableError |rex field=_raw "NonContinuableError:(?<NCE>.?)|DN" |search NCE NOT (:CON-* OR :CUST OR loginError) | eval Hour=strftime(_time, "%H") | chart count over NCE by Day| addtotals | sort 0 -Total |lookup local=true "FileName1" NON_CONTINUABLE_ERROR as NCE OUTPUT CLASSIFICATION as Classification | where Classification="FRUIT" |table Classification NCE Total * | addcoltotals |rename "Total" as "Basket2"]| fields - NULL | eval Basket1+2=Basket1 + Basket2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@bvsuman
Can you please share your both sample searches ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sourcetype="st-offline-orders" NonContinuableError earliest=-48h@h latest=-24h@h |rex field=_raw "NonContinuableError:(?.?)|DN" |search NCE NOT (:CON- OR :CUST* OR loginError) | eval Hour=strftime(_time, "%H") | chart count over NCE by Day | addtotals | sort 0 -Total |lookup local=true "FileName" NON_CONTINUABLE_ERROR as NCE OUTPUT CLASSIFICATION as Classification | where Classification="FRUIT" |table Classification NCE Total | addcoltotals | rename "Total" as "Basket1" |appendcols [search sourcetype="st-online-orders" earliest=-48h@h latest=-24h@h NonContinuableError |rex field=_raw "NonContinuableError:(?.?)|DN" |search NCE NOT (:CON- OR :CUST OR loginError) | eval Hour=strftime(_time, "%H") | chart count over NCE by Day| addtotals | sort 0 -Total |lookup local=true "FileName1" NON_CONTINUABLE_ERROR as NCE OUTPUT CLASSIFICATION as Classification | where Classification="FRUIT" |table Classification NCE Total * | addcoltotals |rename "Total" as "Basket2"]| fields - NULL | eval Basket1+2=Basket1 + Basket2
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
