topic Re: need to create separate field which will show rank based on event Count in Splunk Search

need to create separate field which will show rank based on event Count

shivareddysompa — Fri, 29 May 2020 07:10:40 GMT

ComputerName Events Rank

    ABC     100        1
    BCD 200        2
    CDE     300        3

i need to create Rank by Events

Re: need to create separate field which will show rank based on event Count

493669 — Fri, 29 May 2020 08:21:47 GMT

@shivareddysompalle,
Use first sort then streamstats command to calculate rank-

...|sort Events| streamstats count AS Rank

Below is using sample data-

|makeresults|eval ComputerName ="abc", Events ="200"
|append[|makeresults|eval ComputerName ="bcd", Events ="100"]
|append[|makeresults|eval ComputerName ="def", Events ="300"]|sort Events| streamstats count AS Rank

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Fri, 29 May 2020 09:32:24 GMT

my intention is highest number of event has to hold 1 rank then following and if events are same then rank should be same

Re: need to create separate field which will show rank based on event Count

493669 — Mon, 01 Jun 2020 05:00:05 GMT

@shivareddysompalle,
Try below-

|makeresults|eval ComputerName ="abc", Events ="200"
  |append[|makeresults|eval ComputerName ="bcd", Events ="100"]
   |append[|makeresults|eval ComputerName ="fcd", Events ="200"]
  |append[|makeresults|eval ComputerName ="def", Events ="300"]|sort - Events | streamstats current=f window=1 values(Events) as prev | eval Rank_filled=if(prev=Events,0,1) | accum Rank_filled

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Wed, 03 Jun 2020 05:15:37 GMT

used same but not worked .
i can't share my query since it is organisational data .

Re: need to create separate field which will show rank based on event Count

493669 — Wed, 03 Jun 2020 05:33:47 GMT

Can you share some sample data and your query by masking confidential data.
since as per your data from question it should work.

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Wed, 03 Jun 2020 05:41:04 GMT

    COmputerName  Countofissues
    ABC     10
    BCD     22
    DCE     32

my query is like
eventstats dc(Computername) as Countofissues by Computername

i need to assign rank based on Countofisues . Countofissues will change dynamically by time

Re: need to create separate field which will show rank based on event Count

493669 — Wed, 03 Jun 2020 05:53:07 GMT

Try below without using above eventstats command-

...|table ComputerName Countofissues|sort - Countofissues | streamstats current=f window=1 values(Countofissues) as prev | eval Rank=if(prev=Countofissues,0,1) | accum Rank|table ComputerName Countofissues Rank

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Wed, 03 Jun 2020 05:58:39 GMT

how i will get Count of issues without eventstats ?
if i use stats no issues are found

Re: need to create separate field which will show rank based on event Count

493669 — Wed, 03 Jun 2020 06:01:38 GMT

use-

stats count as Countofissues by ComputerName

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Wed, 03 Jun 2020 06:09:47 GMT

even i have applied rank is same like 1 2 3

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Wed, 30 Sep 2020 05:36:35 GMT

my query is below:

index="abc" source="bcd"
|eval ComputerName=upper(ComputerName)
|join ComputerName
[|savedsearch Computers_By_Product productName="DELL"]
| eval title = replace(title,"{","")
| eval title = replace(title,"}","")
| rename title as signature
| join type=left signature
[search index="abc" source="dce" earliest=1 latest=now() | stats dc(id) as IDs by signature]
| eventstats dc(DateTime) as issueCount by ComputerName
| eventstats dc(ID) as fixCount by ComputerName
|sort issueCount |streamstats current=f window=1 values(issueCount) as Prev|eval Rank_filled=if(prev=Events,0,1) | accum Rank_filled|table ComputerName issueCount Rank_filled

Re: need to create separate field which will show rank based on event Count

493669 — Wed, 03 Jun 2020 06:28:18 GMT

Try below-

index="abc" source="bcd"
|eval ComputerName=upper(ComputerName)
|join ComputerName
[|savedsearch Computers_By_Product productName="DELL"]
| eval title = replace(title,"{","")
| eval title = replace(title,"}","")
| rename title as signature
| join type=left signature
[search index="abc" source="dce" earliest=1 latest=now() | stats dc(id) as IDs by signature]
| eventstats dc(DateTime) as issueCount by ComputerName
| eventstats dc(ID) as fixCount by ComputerName
|sort 0 - issueCount |streamstats current=f window=1 values(issueCount) as Prev|eval Rank_filled=if(prev=issueCount,0,1) | accum Rank_filled|table ComputerName issueCount Rank_filled

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Wed, 03 Jun 2020 07:00:24 GMT

got results like

issueCount Rank
2 1
2 2
1 3
1 4

need the rank like
issueCount Rank
2 1
2 1
1 2
1 2

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Thu, 04 Jun 2020 10:56:07 GMT

@woodcock

please help on this

Re: need to create separate field which will show rank based on event Count

shivareddysompa — Thu, 11 Jun 2020 05:44:44 GMT

anyone is there to help on above request?