Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Why am I not getting a result?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following code is intended to do several things. First, I am looking for all the hosts that are producing winevents and counting them.
index=winevents | dedup host| stats count as Total
Next, I do an ldapsearch for all computers in AD that have a Windows OS.
| append [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*")]
Finally, I count those Windows computers and calculate a percentage between the Total computers and the Windows Computers
| stats count as WindowsComputers | append [makeresults [eval var = Total/WindowsComputers)]] | table var
The variable var is not displaying the percentage or anything whatsoever. Any ideas? this is the full code:
index=winevents
| dedup host
| stats count as Total
| append [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*")]
| stats count as WindowsComputers
| append [makeresults [eval var = Total/WindowsComputers)]]
| table var
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
First thing I'd change is the first query to index=winevents | stats dc(host) as Total
But coming to your issue, if your search is like this, after the makeresults you have a "[" and you must have a "|"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey
First thing I'd change is the first query to index=winevents | stats dc(host) as Total
But coming to your issue, if your search is like this, after the makeresults you have a "[" and you must have a "|"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I use index=winevents | stats dc(host) as Total, for some reason it won't bring the real amount.
I tried changing the syntax and nothing yet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try this by parts?
Is this returning events?
index=winevents
| dedup host
| stats count as Total
Is this returning events?
index=winevents
| dedup host
| stats count as Total
Is this returning events?
ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*")
And finally, have you changed to | append [ makeresults | eval var = Total/WindowsComputers) ] ??
Notice that | append [makeresults [eval var = Total/WindowsComputers)]] will never return results because it is a separate search that has no knowledge of the variables Total or WindowsComputers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@tiagofbmm Both queries return events. I use both on a different dashboard which works.
| append [ makeresults | eval var = Total/WindowsComputers) ] - No results found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool so as I told you, the last append has no knowledge of what the remaining things, mainly because the subsearches are run before the main search!
I believe what you need is this
index=winevents
| dedup host
| stats count as Total
| appendcols [ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*") | stats count as WindowsComputers ]
| eval Percentage=Total/WindowsComputers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still nothing man. It brings the Total but that's it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This returns result?
| ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*") | stats count as WindowsComputers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep. I have 900 computers in my network and it brings all 900
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hopefully not a stupid question at this time but... did you have the | in the ldapsearch?
index=winevents
| dedup host
| stats count as Total
| appendcols [ | ldapsearch search="(objectClass=computer)" attrs="cn,operatingSystem,operatingSystemVersion"
| lookup dnslookup clienthost AS cn
| search (opeartingSystem="Win*") | stats count as WindowsComputers ]
| eval Percentage=Total/WindowsComputers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I will get back to you Monday. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had the | in the ldapsearch but was missing the [.
Thanks for all the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Line 8 should read | append [makeresults [eval var = Total/WindowsComputers)*100,1]]
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
