https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260552#M78158 <P>Hi all,</P> <P>I currently have a search that I need a little tweaking to get something else that I want.</P> <P>So the current search : </P> <P>index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")" | chart count by Client action | addtotals | sort 5 -Total</P> <P>Looks up the five most active OOIDs by number, maps them to a name which I imported a lookup table for, then displays the count of actions for each OOID.</P> <P>What I want to do now is to just get the total number of OOIDS per day, as opposed to finding the count for each one.</P> <P>Can anyone lend a hand?</P> <P>Thanks in advance for your responses. </P> Tue, 29 Sep 2020 09:11:57 GMT splunkman341 2020-09-29T09:11:57Z https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260552#M78158 <P>Hi all,</P> <P>I currently have a search that I need a little tweaking to get something else that I want.</P> <P>So the current search : </P> <P>index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")" | chart count by Client action | addtotals | sort 5 -Total</P> <P>Looks up the five most active OOIDs by number, maps them to a name which I imported a lookup table for, then displays the count of actions for each OOID.</P> <P>What I want to do now is to just get the total number of OOIDS per day, as opposed to finding the count for each one.</P> <P>Can anyone lend a hand?</P> <P>Thanks in advance for your responses. </P> Tue, 29 Sep 2020 09:11:57 GMT https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260552#M78158 splunkman341 2020-09-29T09:11:57Z https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260553#M78159 <P>How about this</P> <PRE><CODE>index=test sourcetype=test "OOID Folder workspace" | timechart span=1d count(OOID) as OOID_Count </CODE></PRE> <P>OR </P> <PRE><CODE>index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")"| timechart span=1d count(Client) as OOID_Count </CODE></PRE> Wed, 23 Mar 2016 18:10:34 GMT https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260553#M78159 somesoni2 2016-03-23T18:10:34Z https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260554#M78160 <P>Perhaps something like this?</P> <PRE><CODE>index=test sourcetype=test "OOID Folder workspace" | stats dc(OOID) | ... </CODE></PRE> <P>or maybe</P> <PRE><CODE>index=test sourcetype=test "OOID Folder workspace" | timechart span=1d dc(OOID) | ... </CODE></PRE> Wed, 23 Mar 2016 18:11:59 GMT https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260554#M78160 richgalloway 2016-03-23T18:11:59Z https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260555#M78161 <P>Thanks for your responses guys! All work like a dream! </P> Wed, 23 Mar 2016 18:30:20 GMT https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260555#M78161 splunkman341 2016-03-23T18:30:20Z https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260556#M78162 <P>Count gives the number of events with the ooid field. DC is the correct function. </P> Wed, 23 Mar 2016 19:17:51 GMT https://community.splunk.com/t5/Splunk-Search/Finding-total-number-for-OOID/m-p/260556#M78162 landen99 2016-03-23T19:17:51Z