topic Re: How to display "(2)" next to hostname when a second host has been detected in the list? in Getting Data In

How to display "(2)" next to hostname when a second host has been detected in the list?

lucien62 — Fri, 23 Mar 2018 10:57:34 GMT

Hello All,

I have a simple search that returns a list of host and time stamps:

host   _time
x      2018-03-23 11:54
y      2018-03-23 11:55
z      2018-03-23 11:56

It's possible to have 2 times the same host in the list, in that case I would like to have "(2)" displayed next to the name of the second host, like this:

host   _time
x      2018-03-23 11:54
y      2018-03-23 11:55
x(2)   2018-03-23 11:55
z      2018-03-23 11:56

How can I do that?

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

tiagofbmm — Fri, 23 Mar 2018 11:25:21 GMT

In which cases do you want to have duplicated values of host?

I don't know which search are doing there but if you are doing a stats latest(host) by _time, a stats values(host) by _time gives as many values as existing in the field ( instead of having one per host).

But I think more clarifications would be frutiful here.

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

damiensurat — Fri, 23 Mar 2018 11:46:38 GMT

Do you want the 2 next to the host and in the same column, or a separate column with the count of hosts?

Your search | fields host, _time | eventstats count(host) as hostCount by _time | table host, hostCount, _time

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

niketn — Fri, 23 Mar 2018 11:58:44 GMT

@lucien62 try the following

<yourBaseSearch>
| streamstats count as sno by host
| eval host=host."(".sno.")"
| table _time host

Following is a run anywhere search based on Splunk's _internal index which which samples some splunkd errors and display count of host with errors over time:

index="_internal" sourcetype="splunkd" log_level!="INFO" component!="Metrics" AND component!="ExecProcessor" 
| head 50
| streamstats count as sno by component
| eval component=component."(".sno.")"
| table _time component

PS: I have used streamstats to apply statistical aggregate on streaming data over time based on your sample data. If you have stats, similar approach should still work. Please try out and confirm.

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

damiensurat — Fri, 23 Mar 2018 12:01:00 GMT

Or you can do :

Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = host.” (“.hostCount.”)” | table host, hostAndCount, hostCount, _time

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

lucien62 — Tue, 29 Sep 2020 18:38:32 GMT

I would prefer having the "2" next to the host name in the same column.

This will be used to identify when the same log is detected on the same server but at a different time.

This is the current search I'm using:

index=wineventlog host=* EventCode=55555 Message="blablabla..." | table host _time | sort -_time asc

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

damiensurat — Fri, 23 Mar 2018 12:07:22 GMT

In situations where you only want to show a numeric if the host count is greater than one: Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = if(hostCount > 1, host.” (“.hostCount.”)” , host) | table host, hostAndCount, hostCount, _time

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

damiensurat — Fri, 23 Mar 2018 12:11:53 GMT

Do you want the 2 next to the host and in the same column, or a separate column with the count of hosts?

Your search | fields host, _time | eventstats count(host) as hostCount by _time | table host, hostCount, _time

Your search | fields host, _time | eventstats count(host) as hostCount by _time | eval hostAndCount = host.” (“.hostCount.”)” | table host, hostAndCount, hostCount, _time

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

damiensurat — Fri, 23 Mar 2018 12:16:35 GMT

So you don’t want to split by time then.

Your search | fields host, _time | eventstats count(host) as hostCount | eval host = if(hostCount > 1, host.” (“.hostCount.”)” , host) | table host, _time

Re: How to display "(2)" next to hostname when a second host has been detected in the list?

damiensurat — Fri, 23 Mar 2018 12:27:46 GMT

Btw. What the above search does is is counts all hosts by host name over your search time and then concatinates that sum of hosts next to your host if the resultant host count is greater than 2. Since I assume you are scanning events by _time which is what is populating the time field, you will see duplicate results if you come across more than one host with the same host name. Eg:
1:20 host1 (2)
1:22 host2
1:24 host1 (2)