Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does appendcols produce the same result for two different searches?

saradachelluboy
Explorer
‎06-02-2016 04:28 PM

The below search String works same for approved and decline. Can some let me know where the error is?

All the time it executes index="pg_int" sourcetype="pg" (responseCode=00) for approved and declined. Please help.

index="pg_int" sourcetype="pg"  (responseCode=00) | timechart count as approved | appendcols [search index="pg_int" sourcetype="pg"  (responseCode!=00)| timechart count as declined]
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-02-2016 04:51 PM

For the appendcols to align correctly, try adding a span to your timechart. Something like this

index="pg_int" sourcetype="pg"  (responseCode=00) | timechart span=1d count as approved | appendcols [search index="pg_int" sourcetype="pg"  (responseCode!=00)| timechart span=1d count as declined]

Having said that, a faster approach may be this...

index="pg_int" sourcetype="pg"  responseCode=* | eval response_cd=if(responseCode="00", "approved" , "declined") | timechart span=1h count by response_cd

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎06-02-2016 04:51 PM

For the appendcols to align correctly, try adding a span to your timechart. Something like this

index="pg_int" sourcetype="pg"  (responseCode=00) | timechart span=1d count as approved | appendcols [search index="pg_int" sourcetype="pg"  (responseCode!=00)| timechart span=1d count as declined]

Having said that, a faster approach may be this...

index="pg_int" sourcetype="pg"  responseCode=* | eval response_cd=if(responseCode="00", "approved" , "declined") | timechart span=1h count by response_cd
0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎06-02-2016 05:18 PM

Thanks Sundar!!!

The faster approach worked fine but I wonder why the appendcols still didn't work after the changes.I am using Splunk 6.1 and IE11

0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎06-02-2016 05:21 PM

Can you please help me how to restrict specific responseCode for decline?
responseCode =90 or responseCode = 08 consider as Decline.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎06-02-2016 05:54 PM

Change the eval segment like this

.... | eval response_cd=case(responseCode="00", "approved", responseCode="90" OR responseCode="08", "declined", 1=1, "other")

The other for all other responseCodes. If you don't want to show that field, you can add this to the end of the query

| fields - other
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...