Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

list common uid on two hosts

nikkuu
New Member
‎01-26-2017 07:33 PM

I am trying to list out common uid on two different hosts.
I am using this but this give a visual of all uids including the common ones.
sourcetype=access $host1$ OR $host2$ error=2*| chart max(O) over host by uid

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎01-27-2017 12:06 PM

It will depend a lot on what's your final output should be. If you just want to know list of uid which are on both hosts, you could do like this

sourcetype=access $host1$ OR $host2$ error=2* | stats dc(host) as host_count by uid | where host_count=2

If you want list hosts as well,

sourcetype=access $host1$ OR $host2$ error=2*| chart dc(uid) over host by uid | addtotals | where Total=2
0 Karma
Reply

snoobzilla
Builder
‎01-27-2017 10:27 AM

Eventstats should work, though not terribly efficient...

sourcetype=access $host1$ OR $host2$ error=2*
| eventstats dc(host) AS hosts by uid
| search hosts>1
| chart max(O) over host by uid
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...