topic How to get a count from certain process on multiple machines? in Splunk Enterprise https://community.splunk.com/t5/Splunk-Enterprise/How-to-get-a-count-from-certain-process-on-multiple-machines/m-p/648717#M16694 <P>Hello,</P> <P>So am trying to get a report of how many times in a month a certain process runs&nbsp; on a machine and when the last it did</P> <P>index=wss_desktop_perfmon sourcetype="wks:Perf_Process" instance!="_Total" instance!="idle"&nbsp;<BR />| where instance like "%bplus.wtk%"</P> <P>So this is the start of the search. The process bplus.wtk in splunk can have multiple instances like&nbsp;</P> <P>bplus.wtk2#1</P> <P>bplus.wtk2#2</P> <P>bplus.wtk2#3</P> <P>I do not care about the info past bplus.wtk I just want a count of how many times that shows up in month on a machine and count it</P> <P>On that machine I want a report that looks like&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="25px">Computer&nbsp;</TD> <TD width="33.333333333333336%" height="25px">bplus.wtk&nbsp;</TD> <TD width="33.333333333333336%" height="25px">Last Time it Ran</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">workstation1</TD> <TD width="33.333333333333336%" height="25px">100</TD> <TD width="33.333333333333336%" height="25px">6/23/2023</TD> </TR> <TR> <TD>workstation2&nbsp;</TD> <TD>250</TD> <TD>6/27/2023</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I have tried Stats count and it is not working because I think it is a string value I am looking at and not a number value.&nbsp;</P> <P>Any help is appreciated</P> Fri, 30 Jun 2023 15:52:18 GMT coldwolf7 2023-06-30T15:52:18Z How to get a count from certain process on multiple machines? https://community.splunk.com/t5/Splunk-Enterprise/How-to-get-a-count-from-certain-process-on-multiple-machines/m-p/648717#M16694 <P>Hello,</P> <P>So am trying to get a report of how many times in a month a certain process runs&nbsp; on a machine and when the last it did</P> <P>index=wss_desktop_perfmon sourcetype="wks:Perf_Process" instance!="_Total" instance!="idle"&nbsp;<BR />| where instance like "%bplus.wtk%"</P> <P>So this is the start of the search. The process bplus.wtk in splunk can have multiple instances like&nbsp;</P> <P>bplus.wtk2#1</P> <P>bplus.wtk2#2</P> <P>bplus.wtk2#3</P> <P>I do not care about the info past bplus.wtk I just want a count of how many times that shows up in month on a machine and count it</P> <P>On that machine I want a report that looks like&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="33.333333333333336%" height="25px">Computer&nbsp;</TD> <TD width="33.333333333333336%" height="25px">bplus.wtk&nbsp;</TD> <TD width="33.333333333333336%" height="25px">Last Time it Ran</TD> </TR> <TR> <TD width="33.333333333333336%" height="25px">workstation1</TD> <TD width="33.333333333333336%" height="25px">100</TD> <TD width="33.333333333333336%" height="25px">6/23/2023</TD> </TR> <TR> <TD>workstation2&nbsp;</TD> <TD>250</TD> <TD>6/27/2023</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>I have tried Stats count and it is not working because I think it is a string value I am looking at and not a number value.&nbsp;</P> <P>Any help is appreciated</P> Fri, 30 Jun 2023 15:52:18 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-get-a-count-from-certain-process-on-multiple-machines/m-p/648717#M16694 coldwolf7 2023-06-30T15:52:18Z Re: How to get a count from certain process on multiple machines? https://community.splunk.com/t5/Splunk-Enterprise/How-to-get-a-count-from-certain-process-on-multiple-machines/m-p/649112#M16722 <P>Hi</P><P>I think that something like this should work</P><LI-CODE lang="markup">index=wss_desktop_perfmon sourcetype="wks:Perf_Process" instance="*" instance!="_Total" instance!="idle" | where instance like "%bplus.wtk%" | stats count as "bplus.wtk" max(_time) as lastRun by Computer | eval lastRun = strftime(lastRun, "%m/%d/%Y") | table Computer "bplus.wtk" lastRun</LI-CODE><P>Usually you should add that instance = "*xyz*" on first line, but as you have wildcard also in the beginning on it, it could be better (in point of performance) to have it separately? You should check it by Job Inspector. Also check if those instance!=xyz are better to drop or not as you are selecting only some specific instances on second line. Splunk is not good for != and NOT (in performance point of view).</P><P>r. Ismo</P> Tue, 04 Jul 2023 13:04:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-get-a-count-from-certain-process-on-multiple-machines/m-p/649112#M16722 isoutamo 2023-07-04T13:04:16Z Re: How to get a count from certain process on multiple machines? https://community.splunk.com/t5/Splunk-Enterprise/How-to-get-a-count-from-certain-process-on-multiple-machines/m-p/649367#M16733 <P>That worked perfectly. I did take out the where statement and put the&nbsp;<SPAN>instance = "*xyz*" on the first line and took out the != and ran so much faster</SPAN></P> Wed, 05 Jul 2023 18:29:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-get-a-count-from-certain-process-on-multiple-machines/m-p/649367#M16733 coldwolf7 2023-07-05T18:29:57Z