Splunk Search

How do you count the least number of events (as opposed to the highest number)?

stcrispan
Communicator

I have a Top Ten report going which counts the highest number of network timeout/disconnects on wireless devices by the total number of events and listed by device name.

index=dss_tablet sourcetype=dss_tablet_App "TCP error code 10060"| timechart limit=10 useother=f count by ComputerName

My customers have asked, "What are the best performing devices?"

My initial reaction was to simply eliminate the 10060 event, but this isn't an accurate summation -- that would give me the tablets which merely had the highest event code count.

So what I need is a search which looks for Event 10060 and then takes the lowest incidences. So if I have 100 devices, and only two of them registered one 10060 event each...and one device claims to have it four times...and another three which say only five times....then the idea is that these devices would come up in a Top Ten list, listed by device and how many times they had the event, with the understanding that these were the least afflicted by this condition.

Brain teaser, or childishly simple?

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@stcrispan,

Try this and lets know if its close to what you are looking for

 index=dss_tablet sourcetype=dss_tablet_App "TCP error code 10060"| stats count by ComputerName|sort count limit=10
Happy Splunking!

View solution in original post

stcrispan
Communicator

Is there a way to break out the results?

For instance, I have 200 devices. 42 of them have only a single 10060 event, 23 of them have two 10060 events, 19 of them count three events, and so on.

Is there a way to have a chart which, on the bottom puts 1 event, 2 events, 3 events (and so on), and for each category charts the count?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@stcrispan,

Try this and lets know if its close to what you are looking for

 index=dss_tablet sourcetype=dss_tablet_App "TCP error code 10060"| stats count by ComputerName|sort count limit=10
Happy Splunking!

stcrispan
Communicator

Yup, that works!

But I have 45 which are one event, and 10 more which are two events, and 6 which are three events.

And (maybe as a consequence) my chart no longer provides count by Computer Name, it provides a count by...well, event count.

But please don't think I'm ungreatful; thank you for your quick response!

Now I just have to figure out how to display this data to my customers.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@stcrispan, do you mean to say that there can be multiple devices which has same event count, so instead of just first 10 entries, you need first 10 devices with their count ?
If that's the case try,

   index=dss_tablet sourcetype=dss_tablet_App "TCP error code 10060"| stats count by ComputerName|sort count
   |streamstats current=f window=1 last(count) as prev|eval change=if(count==prev,0,1)|accum change as total
   |where total <11|fields - change,total
Happy Splunking!
0 Karma

stcrispan
Communicator

Fantastic.

Thank you!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...