i want to get a list of servers that are reporting into splunk via UF or WMI or both, i have this going for me, but i want to add something to it that would show if count count for WMI is >1 then yes , if count for UF is >1 then yes, If count on UF and WMI >1 then both. would this be possible? I'm not sure how to do where count equals in Splunk yet.
sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] |chart count(eval(sourcetype="WinEventLog")) as UF,count(eval(sourcetype="WMI:WinEventLog")) as WMI by host
Try something like this
sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] | eval TypeUF=if(sourcetype="WinEventLog",1,0) | eval TypeWMI=if(sourcetype="WMI:WinEventLog",1,0) | eval TypeBOTH=if(TypeUF+TypeWMI=2,1,0) | stats sum(TypeUF) as UF, sum(TypeWMI) as WMI, sum(TypeBOTH) as BOTH by host
UPDATED
This should do the trick.
sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] | eval TypeUF=if(sourcetype="WinEventLog",1,0) | eval TypeWMI=if(sourcetype="WMI:WinEventLog",1,0) | stats sum(TypeUF) as UF, sum(TypeWMI) as WMI by host | eval UF=if(UF>0,"yes","no") | eval WMI=if(WMI>0,"yes","no") | eval BOTH=if(UF="yes" AND WMI="yes","yes","no")
Try something like this
sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] | eval TypeUF=if(sourcetype="WinEventLog",1,0) | eval TypeWMI=if(sourcetype="WMI:WinEventLog",1,0) | eval TypeBOTH=if(TypeUF+TypeWMI=2,1,0) | stats sum(TypeUF) as UF, sum(TypeWMI) as WMI, sum(TypeBOTH) as BOTH by host
UPDATED
This should do the trick.
sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] | eval TypeUF=if(sourcetype="WinEventLog",1,0) | eval TypeWMI=if(sourcetype="WMI:WinEventLog",1,0) | stats sum(TypeUF) as UF, sum(TypeWMI) as WMI by host | eval UF=if(UF>0,"yes","no") | eval WMI=if(WMI>0,"yes","no") | eval BOTH=if(UF="yes" AND WMI="yes","yes","no")
thank you! however, for some reason this did not work to well for me. I think it may be because im counting the number of logs for each sourcetype. that's why i think i need to do where count >1 output yes IF 0 output no IF >1 for both then have another Column say Both. would this be possible?
What is your expected output format (columns) and their corresponding values?
host UF WMI
serverA 54332 0
serverB 906 221
server32 332 0
server5 0 3432
I want to change this to-
host UF WMI Both
serverA Yes no
serverB 0 0 Yes
server32 Yes 0
server5 0 Yes
See the updated answer
your the MAN! thanks!