https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481725#M82571 <P>thanks for the query it helped. </P> Fri, 10 Jan 2020 10:36:08 GMT jerinvarghese 2020-01-10T10:36:08Z https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481720#M82566 <P>Hi All,</P> <P>I have a query to display some BGP neighbour UP or DOWN.</P> <P>Output looks like <BR /> nodelabel Status PEER_IP Time_CST<BR /> Device1 UP 10.253.226.10 01/08/20 02:03:53<BR /> Device2 DOWN 10.253.140.89 01/08/20 00:26:54</P> <P>Query is : </P> <P>index=opennms eventuei="uei.opennms.org/thresholds/bgpPeerState/XOM*" "WANRT*" "10.253*"<BR /> | rex field=eventuei "uei.opennms.org/thresholds/bgpPeerState/(?.+)"<BR /> | rex "peer: (?.*), eventseverity" <BR /> | eval Status=case(bgpPeerState=="XOM-rearm", "UP", bgpPeerState=="XOM-falling", "DOWN", 1=1, "Other")<BR /> | rename _time as Time_CST<BR /> | fieldformat Time_CST=strftime(Time_CST,"%x %X")<BR /> | dedup nodelabel sortby - Time_CST <BR /> | table nodelabel Status PEER_IP Time_CST</P> <P>I need a help, want to display how many UP and DOWN peers there.</P> Wed, 30 Sep 2020 03:37:43 GMT https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481720#M82566 jerinvarghese 2020-09-30T03:37:43Z https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481721#M82567 <P>use something like this on the end?</P> <P>| stats count as Total count(eval(Status=="UP")) as "up_count" count(eval(Status=="DOWN")) as "down_count"</P> <P>Or </P> <P>index=opennms eventuei="uei.opennms.org/thresholds/bgpPeerState/XOM*" "WANRT*" "10.253*"<BR /> | rex field=eventuei "uei.opennms.org/thresholds/bgpPeerState/(?.+)"<BR /> | rex "peer: (?.*), eventseverity"<BR /> | eval Status=case(bgpPeerState=="XOM-rearm", "UP", bgpPeerState=="XOM-falling", "DOWN", 1=1, "Other")<BR /> | dedup nodelabel<BR /> | stats dc(PEER_IP) as Total by Status</P> Wed, 30 Sep 2020 03:34:01 GMT https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481721#M82567 WalshyB 2020-09-30T03:34:01Z https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481722#M82568 <P>@jerinvarghese <BR /> Try</P> <PRE><CODE>YOUR_SEARCH | stats count(eval(Status="UP")) as UP_Count count(eval(Status="DOWN")) as DOWN_Count </CODE></PRE> Fri, 10 Jan 2020 10:07:34 GMT https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481722#M82568 kamlesh_vaghela 2020-01-10T10:07:34Z https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481723#M82569 <P>Hello, </P> <P>First method:</P> <PRE><CODE>index=opennms eventuei="uei.opennms.org/thresholds/bgpPeerState/XOM*" "WANRT*" "10.253*" | rex field=eventuei "uei.opennms.org/thresholds/bgpPeerState/(?.+)" | rex "peer: (?.*), eventseverity" | eval Status=case(bgpPeerState=="XOM-rearm", "UP", bgpPeerState=="XOM-falling", "DOWN", 1=1, "Other") | rename _time as Time_CST | fieldformat Time_CST=strftime(Time_CST,"%x %X") | dedup nodelabel sortby - Time_CST | table nodelabel Status PEER_IP Time_CST | eval number_Up=if(Status="UP",1,0), number_Down=if(Status="DOWN",1,0) | stats sum(number_Up) as UP, sum(number_Down) as DOWN </CODE></PRE> <P>Second method:</P> <PRE><CODE>index=opennms eventuei="uei.opennms.org/thresholds/bgpPeerState/XOM*" "WANRT*" "10.253*" | rex field=eventuei "uei.opennms.org/thresholds/bgpPeerState/(?.+)" | rex "peer: (?.*), eventseverity" | eval Status=case(bgpPeerState=="XOM-rearm", "UP", bgpPeerState=="XOM-falling", "DOWN", 1=1, "Other") | rename _time as Time_CST | fieldformat Time_CST=strftime(Time_CST,"%x %X") | dedup nodelabel sortby - Time_CST | table nodelabel Status PEER_IP Time_CST | stats count(eval(Status="UP")) as UP, count(eval(Status="DOWN")) as DOWN </CODE></PRE> Fri, 10 Jan 2020 10:26:24 GMT https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481723#M82569 TISKAR 2020-01-10T10:26:24Z https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481724#M82570 <PRE><CODE>index=opennms eventuei="uei.opennms.org/thresholds/bgpPeerState/XOM*" "WANRT*" "10.253.*" | rex "peer: (?&lt;PEER_IP&gt;.*), eventseverity" | stats count(eval(searchmatch("XOM-rearm"))) AS UP count(eval(searchmatch("XOM-falling"))) AS DOWN values(PEER_IP) AS PEER_IP by nodelabel </CODE></PRE> <P>hi, only count up &amp; down by nodelabel.</P> Fri, 10 Jan 2020 10:34:45 GMT https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481724#M82570 to4kawa 2020-01-10T10:34:45Z https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481725#M82571 <P>thanks for the query it helped. </P> Fri, 10 Jan 2020 10:36:08 GMT https://community.splunk.com/t5/Getting-Data-In/Need-seperate-count-for-UP-and-DOWN-Peer/m-p/481725#M82571 jerinvarghese 2020-01-10T10:36:08Z