https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236976#M4785 <P>Looks like I need to get off my nethers and learn to work w/ Pivot tables.</P> Mon, 07 Mar 2016 19:16:24 GMT banderson7 2016-03-07T19:16:24Z https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236975#M4784 <P>We've built a report for ~150 hosts and a big filtered list of the eventlogs. My fields are Host, EventCode, SourceName, sourcetype, Message &amp; Count. Currently, I have a count of eventcodes per host, but it's been requested that I get a count of eventcodes of all the hosts, preferably in the same report.<BR /> Also, my message field is truncated to 75 characters. It's also been requested that the full message be readable as easily as possible. Below is my query: </P> <PRE><CODE>(index=server OR index=lansweeper OR index=wineventlog OR index=windows OR index=adhoc_audit) tag::host=PHI (source="WinEventLog:System" OR source="WinEventLog:Security" OR source="WinEventLog:Application" OR source="WinEventLog:Directory Service" OR source=ls-winevent) SourceName!=TAAG.SchedulingService SourceName!=Paradigm.PCMS.Session SourceName!=W32Time SourceName!="ASP.NET*" SourceName!=".NET Runtime" SourceName!=Microsoft-Windows-WAS SourceName!=Paradigm.Vito.PCMS.Session SourceName!=LogSrcTraxCS.Message997I5 SourceName!=MSSQL$* SourceName!="Windows Update Agent" SourceName!="Phantom Call service" SourceName!=SQLISPackage100 EventCode!=592 EventCode!=593 EventCode!=562 EventCode!=567 EventCode!=540 EventCode!=564 EventCode!=538 EventCode!=594 EventCode!=600 EventCode!=560 SourceName!="Director Agent" SourceName!=MR_MONITOR EventCode!=18264 SourceName!="Microsoft-Windows-WMI" SourceName!=vmStatsProvider SourceName!=".NET Runtime 2.0 Error Reporting" EventCode!=6013 EventCode!=4634 SourceName!="Microsoft-Windows-Kernel-General" SourceName!=SQLISPackage EventCode!=7036 | eval Message=substr(Message,1,75) | stats count(EventCode) as COUNT by host, EventCode,SourceName,sourcetype, Message | sort + COUNT </CODE></PRE> <P>So, I'm thinking it would look something like EventCode Count, then expanding the eventcode would give me a list of hosts and their count. Is this possible in Splunk?</P> Mon, 07 Mar 2016 16:36:42 GMT https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236975#M4784 banderson7 2016-03-07T16:36:42Z https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236976#M4785 <P>Looks like I need to get off my nethers and learn to work w/ Pivot tables.</P> Mon, 07 Mar 2016 19:16:24 GMT https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236976#M4785 banderson7 2016-03-07T19:16:24Z https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236977#M4786 <P>Swap this:</P> <PRE><CODE>.... | stats count(EventCode) as COUNT by host, EventCode,SourceName,sourcetype, Message | sort + COUNT </CODE></PRE> <P>for this:</P> <PRE><CODE>... | top limit=0 EventCode by host | addtotals col=t row=f labelfield=host label="TOTAL" </CODE></PRE> Mon, 07 Mar 2016 23:04:12 GMT https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236977#M4786 woodcock 2016-03-07T23:04:12Z https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236978#M4787 <P>That gave me host,eventcode,count,percent fields, and I'm uncertain what the percentage ... is a percentage of.</P> Tue, 08 Mar 2016 13:23:20 GMT https://community.splunk.com/t5/Reporting/Building-report-with-options/m-p/236978#M4787 banderson7 2016-03-08T13:23:20Z