Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- add a count column in the table
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ringbbg
Engager
02-22-2017
03:22 PM
Hi All.
I want to add an additional column in the table to display how many times a particular host in the set time frame had a distinct hit based on the search query below. Can anyo0ne advise how I can add it to the table?
<search>
<query>index=nm "RPD_OSPF_NBR*" host=$hostname2$ syslog_message!="*ExStart due to*" syslog_message!="*UI_CMDLINE_READ_LINE*" | dedup syslog_message | table _time, host, ip, state, syslog_message | sort 0 -_time</query>
<earliest>$_time.earliest$</earliest>
<latest>$_time.latest$</latest>
</search>
<option name="count">20</option>
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-22-2017
04:14 PM
Like this:
index=nm "RPD_OSPF_NBR*" host=$hostname2$ syslog_message!="*ExStart due to*" syslog_message!="*UI_CMDLINE_READ_LINE*" | stats count max(_time) AS _time BY host ip state syslog_message | sort 0 -_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-22-2017
04:14 PM
Like this:
index=nm "RPD_OSPF_NBR*" host=$hostname2$ syslog_message!="*ExStart due to*" syslog_message!="*UI_CMDLINE_READ_LINE*" | stats count max(_time) AS _time BY host ip state syslog_message | sort 0 -_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ringbbg
Engager
02-22-2017
05:47 PM
thanks! is there a way to rearrange the order of the column? with the syntax above, the _time column is at the rightmost part of the table. I would like it to be in the left most side, or the first column. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
02-22-2017
07:02 PM
Just add | table Your Preferred Order Of Field Names Here. Be sure to click Accept to close the question if the answer worked for you.
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
