Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

stats for json data

email2vamsi
Explorer
‎10-15-2020 04:34 AM

Hello Experts,

 

search..
|search "json attribute"
|stats sum(latest("_attributes.xxx.total")) by servername
|append [search ...
|search "json attribute"
|stats sum(latest("_attributes.yyy.total")) by servername]

 

The above search returns rows in the following format:-
servername --- sum(latest("_attributes.xxx.total")) --  sum(latest("_attributes.yyy.total"))

But i want them to be displayed as follows:--
servername --- sum(latest("_attributes.Both_xxx_yyy.total")) 

Thank you.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2020 05:51 AM

You have two separate searches with their results appended so it should be no surprise that the display contains separate values.

Have you tried adding the two results together?

search..
|search "json attribute"
|stats sum(latest("_attributes.xxx.total")) as Total_xxx by servername
|append [search ...
|search "json attribute"
|stats sum(latest("_attributes.yyy.total")) as Total_yyy by servername]
|eval Total_xxx_yyy=Total_xxx + Total_yyy
|table servername Total_xxx_yyy
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

email2vamsi
Explorer
‎10-19-2020 12:21 AM

Thank you Mr.Rich.

This is my requirement.

base search..
|search "_attributes.xxx.total"
|stats dc(servername) by _attributes.xxx.total

base search..
|search "_attributes.yyy.total"
|stats dc(servername) by _attributes.yyy.total

From these two searches i want a cobination like the below with a wild card.
But it wouldn't work this way.Please suggest how to achieve it.
base search..
|search "_attributes.*.total"
|stats dc(servername) by _attributes.*.total

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 01:06 AM

It is not clear what your requirement is. What does |stats dc(servername) by _attributes.*.total mean? Distinct count of servername where _attributes.xxx.total and _attributes.yyy.total are combined into a single count, or do you want separate distinct counts for _attributes.xxx.total and _attributes.yyy.total?

For separate counts

base search..
|search "_attributes.xxx.total"
|stats dc(servername) as servers by _attributes.xxx.total
|rename _attributes.xxx.total as total
|append [
base search..
|search "_attributes.yyy.total"
|stats dc(servername) as servers by _attributes.yyy.total
|rename _attributes.yyy.total as total
]
|table total servers

 For total counts (although this will double count servers where xxx.total = yyy.total

base search..
|search "_attributes.xxx.total"
|stats dc(servername) as servers by _attributes.xxx.total
|rename _attributes.xxx.total as total
|append [
base search..
|search "_attributes.yyy.total"
|stats dc(servername) as servers by _attributes.yyy.total
|rename _attributes.yyy.total as total
]
|table sum(total) as total servers

For counts without double counting

base search..
|search "_attributes.xxx.total" OR "_attributes.yyy.total"
|eval total=if(isnull('_attributes.xxx.total'),'_attributes.yyy.total',mvappend('_attributes.xxx.total','_attributes.yyy.total'))
|mvexpand total
|stats dc(servername) as servers by total
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...