topic Re: help on append command in Splunk Search

help on append command

jip31 — Tue, 12 Feb 2019 08:20:34 GMT

The request below count a number of error events by host

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| dedup host
| stats count(host) as host

I want to match this count with the serach below in order to have the number of error events by model

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| dedup host 
| append 
    [ search index="aix" sourcetype="x" 
    | rex "Model=(?<model>.*)" ] 
| stats values(model) as Model by host 
| stats count(host) as host by Model 
| dedup host

So I do this but it doesn't returns the same number of events that there is in the first search
So my request is not good....
Could you help me on this append command please???

Re: help on append command

woodcock — Tue, 12 Feb 2019 09:29:12 GMT

First of all, your first search does NOT count number of error events by host, but this does:

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| stats count BY host

To show the number of error events by model, try this:

(index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
| rex "Model=(?<model>.*)"
| stats values(model) AS Model count(eval(index=x)) AS count BY host
| mvexpand Model
| stats sum(count) AS count BY Model

Re: help on append command

jip31 — Tue, 12 Feb 2019 09:55:37 GMT

OK for :

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| stats count BY host

but if I want to have the result (five events) in a single value what i have to do

concerning :

 (index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
2. | rex "Model=(?<model>.*)"
3. | stats values(model) AS Model count(eval(index=x)) AS count BY host
4. | mvexpand Model
5. | stats sum(count) AS count BY Model

it doesn't works
I have more than 2000 events...
if in the request below I have 5 events I need to have also 5 events in the second query but i want the details by model

 index="x" sourcetype="x" ConfigManagerErrorCode=28 
| stats count BY host

Re: help on append command

jip31 — Tue, 12 Feb 2019 10:43:54 GMT

when I do this its almost what i want but it seems to count not the number of host by model but only to count each model (so I have always model=a =1, model b=1, model c=1)

Re: help on append command

nawneel — Tue, 12 Feb 2019 12:47:07 GMT

index="x" sourcetype="x" ConfigManagerErrorCode=28 
 | stats dc(host) as host

for getting hosts

and as suggested by woodcock

(index="x" sourcetype="x" ConfigManagerErrorCode=28) OR (index="aix" sourcetype="x")
 | rex "Model=(?<model>.*)"
 | stats values(model) AS Model count(eval(index=x)) AS count BY host
 | mvexpand Model
 | stats sum(count) AS count BY Model

this should work

Re: help on append command

jip31 — Tue, 12 Feb 2019 14:21:19 GMT

which index I have to add in count(eval(index=x))??

Re: help on append command

woodcock — Sun, 03 Mar 2019 04:37:06 GMT

Try this:

index="x" sourcetype="x" ConfigManagerErrorCode=28 
| stats count BY host
| rename COMMENT AS "The stuff below converts your 5 rows into 1"
| eval hosts="counts"
| xyseries hosts host count