Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I have a Search return multiple Stats and a Total?

TDeFrank
Observer
‎09-14-2020 03:07 PM

I have an issue which seems to be simple but after 2 days I'm still struggling.  I am attempting to have one search return the number of Logins for a large set of Hosts for both Windows and Linux.  I have successfully figured out each Search which will give me the numbers I want, however it only ever returns 1 Stat row.  I want to be able to show both numbers plus a total.  Here is my search altered slightly for security...

index=windows [ inputlookup hosts.csv |  fields host] EventCode = 4627
|  stats count as winlogins
| appendcols
    [search index=linux [ inputlookup hosts.csv |  fields host]  type=login
|  stats count as linuxlogins]
| addtotals

What I get is each value and a Total but it only has 1 Statistics row so I am unsure how to create a useful Visualization(Report) which will ultimately be placed on a Dashboard.  How can I get 1 search to return all 3 values as seperate Statistics so I can post a Report on a Dashboard?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-14-2020 04:05 PM

Have you tried something like

( index=windows EventCode = 4627 ) OR ( index=linux type=login ) [ inputlookup hosts.csv |  fields host]
| stats count by index
| addtotals
0 Karma
Reply

TDeFrank
Observer
‎09-15-2020 06:19 AM

Yes I've tried using or before with no success, your query below returns 0 Events so that will not work either.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-15-2020 06:45 AM

Sorry I missed a pipe

( index=windows EventCode = 4627 ) OR ( index=linux type=login ) [ | inputlookup hosts.csv |  fields host]
| stats count by index
| addtotals
0 Karma
Reply

TDeFrank
Observer
‎09-15-2020 07:00 AM

I tried it with the additional pipe - still 0 events are returned.  I've been testing today and It seems that Splunk has an issue with OR if you are using a Lookup - no matter the syntax.  I even tried this way and it still returns 0 events...

(index=windows [ inputlookup hosts.csv |  fields host] EventCode = 4627) or (index=linux [ inputlookup hosts.csv |  fields host]  type=login)

Running each inside the ( ) individually works just fine, but using OR returns 0 events.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-15-2020 07:04 AM

So, do you get the counts you need without the inputlookup?

0 Karma
Reply

TDeFrank
Observer
‎09-15-2020 07:30 AM

Holy Smokes - so the issue with the OR was I did not have it all caps - I thought an OR was an or but not here - cryptic...

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-15-2020 07:34 AM

Same goes for AND by the way - easy one to miss - been there, done that!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...