https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621670#M216098 <P>Hello, I put them in context before showing the query.</P> <P>I have a splunk that I test on it to see the query results because I don't have access to the splunk that has the data.</P> <P>I have a query that shows me the result of these two hostnames, but I need this same result but on all hostnames, not just these two.</P> <P>&nbsp;</P> <P>I have 2 queries.</P> <P>The first query gets me the results of the two teams, although I don't know if it does it because I have the data inserted (I can't find it by index) or it puts them because I use the makeresults (I read that it works in cache and the data doesn't have to be).</P> <P>|makeresults<BR />| eval EventCode="20", hostname="wdv01ssps,DESCASSOAW01", error_code="0x80070003 0x80004004"|makemv delim="," hostname | makemv delim=" " EventCode|makemv delim=" " error_code<BR />| mvexpand EventCode |mvexpand hostname |mvexpand error_code|table hostname EventCode error_code</P> <P>&nbsp;</P> <P>I'd like to use the latter as it's easier for me to display results from hostname, in this case it's called ComputerName.</P> <P>How can I do to show all ComputerName with these same filters?</P> <P>index=sistemi sourcetype="wineventlog" TaskCategory="Windows Update Agent" AND EventCode IN (20, 27)<BR />| eval day_of_week = lower(strftime(_time, "%A"))<BR />| eval date_string = strftime(_time, "%Y-%m-%d")<BR />| eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday",1,null())<BR />| search Weekend=1<BR />| stats count by Message EventCode ComputerName date_string<BR />| stats list(Message) by ComputerName date_string EventCode</P> <P>It may simply not be possible to list all the computer names without listing them one by one.</P> <P>Thanks.</P> Tue, 22 Nov 2022 14:35:25 GMT userQ 2022-11-22T14:35:25Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621670#M216098 <P>Hello, I put them in context before showing the query.</P> <P>I have a splunk that I test on it to see the query results because I don't have access to the splunk that has the data.</P> <P>I have a query that shows me the result of these two hostnames, but I need this same result but on all hostnames, not just these two.</P> <P>&nbsp;</P> <P>I have 2 queries.</P> <P>The first query gets me the results of the two teams, although I don't know if it does it because I have the data inserted (I can't find it by index) or it puts them because I use the makeresults (I read that it works in cache and the data doesn't have to be).</P> <P>|makeresults<BR />| eval EventCode="20", hostname="wdv01ssps,DESCASSOAW01", error_code="0x80070003 0x80004004"|makemv delim="," hostname | makemv delim=" " EventCode|makemv delim=" " error_code<BR />| mvexpand EventCode |mvexpand hostname |mvexpand error_code|table hostname EventCode error_code</P> <P>&nbsp;</P> <P>I'd like to use the latter as it's easier for me to display results from hostname, in this case it's called ComputerName.</P> <P>How can I do to show all ComputerName with these same filters?</P> <P>index=sistemi sourcetype="wineventlog" TaskCategory="Windows Update Agent" AND EventCode IN (20, 27)<BR />| eval day_of_week = lower(strftime(_time, "%A"))<BR />| eval date_string = strftime(_time, "%Y-%m-%d")<BR />| eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday",1,null())<BR />| search Weekend=1<BR />| stats count by Message EventCode ComputerName date_string<BR />| stats list(Message) by ComputerName date_string EventCode</P> <P>It may simply not be possible to list all the computer names without listing them one by one.</P> <P>Thanks.</P> Tue, 22 Nov 2022 14:35:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621670#M216098 userQ 2022-11-22T14:35:25Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621684#M216102 <P>I am not sure what you are asking for - all the computer names are listed by the stats call. Do you just want the computer names?</P><LI-CODE lang="markup">| stats values(ComputerName) as ComputerName</LI-CODE> Tue, 22 Nov 2022 11:54:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621684#M216102 ITWhisperer 2022-11-22T11:54:22Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621701#M216113 <P>Hi, sorry if I didn't explain myself well.<BR />I would like to get all the hostnames instead of just naming those two, for example: hostname=*</P><P>Referencing the * as all the hostnames there are.</P><P>I know the * doesn't work in splunk like in programming languages, it only worked with index=* but not inside the query with the data.</P> Tue, 22 Nov 2022 12:42:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621701#M216113 userQ 2022-11-22T12:42:09Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621708#M216117 <P>Why do you think * only works for index?</P><P>By not restricting the hostname i.e. not using a filter, you will be getting events for all hostnames. This is almost the same as hostname=* except that hostname=* will ensure hostname is not null.</P> Tue, 22 Nov 2022 13:36:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-data-of-one-field/m-p/621708#M216117 ITWhisperer 2022-11-22T13:36:00Z