Archive

How do you count the least number of events (as opposed to the highest number)?

Communicator

I have a Top Ten report going which counts the highest number of network timeout/disconnects on wireless devices by the total number of events and listed by device name.

index=dss_tablet sourcetype=dss_tablet_App "TCP error code 10060"| timechart limit=10 useother=f count by ComputerName

My customers have asked, "What are the best performing devices?"

My initial reaction was to simply eliminate the 10060 event, but this isn't an accurate summation -- that would give me the tablets which merely had the highest event code count.

So what I need is a search which looks for Event 10060 and then takes the lowest incidences. So if I have 100 devices, and only two of them registered one 10060 event each...and one device claims to have it four times...and another three which say only five times....then the idea is that these devices would come up in a Top Ten list, listed by device and how many times they had the event, with the understanding that these were the least afflicted by this condition.

Brain teaser, or childishly simple?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@stcrispan,

Try this and lets know if its close to what you are looking for

 index=dss_tablet sourcetype=dss_tablet_App "TCP error code 10060"| stats count by ComputerName|sort count limit=10

View solution in original post

Communicator

Is there a way to break out the results?

For instance, I have 200 devices. 42 of them have only a single 10060 event, 23 of them have two 10060 events, 19 of them count three events, and so on.

Is there a way to have a chart which, on the bottom puts 1 event, 2 events, 3 events (and so on), and for each category charts the count?

0 Karma

SplunkTrust
SplunkTrust

@stcrispan,

Try this and lets know if its close to what you are looking for

 index=dss_tablet sourcetype=dss_tablet_App "TCP error code 10060"| stats count by ComputerName|sort count limit=10

View solution in original post

Communicator

Yup, that works!

But I have 45 which are one event, and 10 more which are two events, and 6 which are three events.

And (maybe as a consequence) my chart no longer provides count by Computer Name, it provides a count by...well, event count.

But please don't think I'm ungreatful; thank you for your quick response!

Now I just have to figure out how to display this data to my customers.

0 Karma

SplunkTrust
SplunkTrust

@stcrispan, do you mean to say that there can be multiple devices which has same event count, so instead of just first 10 entries, you need first 10 devices with their count ?
If that's the case try,

   index=dss_tablet sourcetype=dss_tablet_App "TCP error code 10060"| stats count by ComputerName|sort count
   |streamstats current=f window=1 last(count) as prev|eval change=if(count==prev,0,1)|accum change as total
   |where total <11|fields - change,total
0 Karma

Communicator

Fantastic.

Thank you!

0 Karma