Archive

Histogram of counts

Motivator

Hi,

I have this data

337487,1512448,motion sensor,RFDL-ZB-MS,Bosch
337487,1512447,door/window sensor,SZ-DWS04,Sercomm Corp.
337487,1512446,door/window sensor,SZ-DWS04,Sercomm Corp.
337466,1512176,motion sensor,RFDL-ZB-MS,Bosch

The way it is formatted is premiseID,Account,devicetype,model,manufacturer

There are 756,000 events that I need to sort there like this example..... There are 50,000 premises that have 7 devices in given premise then, there are 25,000 premises with 8 devices etc etc..... Any thoughts?

0 Karma

Motivator

Figured it out

The query looks like this

index="some index" |stats count as statscount by PREMISE_ID|stats count(statscount) as testcount by statscount|sort statscount|rename statscount as "Number of Devices" testcount as "Number of Premises"

Splunk Employee
Splunk Employee

Please accept your own answer to mark as resolved. Thx!

0 Karma

Motivator

Here is a bit more information that hopefully helps

I ran a stats command on the data and built the below table

PREMISE_ID  count
179944  54
98238   51
279433  50
295025  49
180500  48
204649  44
235284  44
100387  42
247920  42
254718  42
328091  42
131607  40
274352  40
286689  40
99134           40

Based off of this snippet, the table/chart I'm hoping to create would look something like this

Number of Premises with 54 devices=1
Number of Premises with 51 devices=1
Number of Premises with 50 devices=1
blah blah blah
Number of Premises with 44 devices=2
Number of Premises with 42 devices=4
Number of Premises with 40 devices=4

Hopefully that helps!

0 Karma