- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- New to splunk, looking for total calculator by wee...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So far I think I have the syntax built out like this
index=tool OR index=tool2 OR index=tool3
| eval parta=(index=tool information, information | stats count)
| eval partb=(index=tool2 information, information | stats count)
| eval partc=(index=tool3 information, | stats count)
| table parta partb partc
Thinking this will get me totals for the separate tools, but I'm looking to get just 1 total, per week if possible. I was thinking addtotals would help, but not sure. Any and all help would be very appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With this use case I would like to suggest to go with below approach where we fetch only those event which have specific fields as you mentioned from below search.
(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)After this just do stats by index.
| stats count by index at this level the index will have the count which has specific field.
You can add | addcoltotals command or remove by index from above search.
like,
(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| stats count by index
| addcoltotals
OR
(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| stats count
To get weekly count you can try this also.
(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| bin _time span=w
| stats count by index _time
I hope this will help you.
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome thanks for the help! I guess the timeframe isn't such a huge deal because I can adjust the parameters of the search, the problem I'm having is the search itself. Each one of the tools has a separate event that I want to use to find the total count of event. All the other fields do not necessarily help with a total count. So all in all I want to index a tool, then get a total count by event in that tool, then be able to display it. If I'm not making sense feel free to critique my thinking.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For example, if I use the index= all tools, and then add a field where it doesnt count all the events, only a few
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share some sample events from the different indexes showing the different events you want to count? Best to share these in code blocks </> so they are easier to use for testing solutions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, I can try, but I would like to stay as generic as possible:
index=tool1 OR index=tool2 OR index=too3
So I would like to index the 3 of these tools, but search for specific fields with each tool. Lets say,
tool1 field I want is called field 1, tool 2 is called field 2, and tool 3 is called field 3.
I hate to be so vague, and I really do appreciate the help. I can do a:
|stats count by field 1, but not sure how to get the counts and display all 3 fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With this use case I would like to suggest to go with below approach where we fetch only those event which have specific fields as you mentioned from below search.
(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)After this just do stats by index.
| stats count by index at this level the index will have the count which has specific field.
You can add | addcoltotals command or remove by index from above search.
like,
(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| stats count by index
| addcoltotals
OR
(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| stats count
To get weekly count you can try this also.
(index=tool1 field1=*) OR (index=tool2 field2=*) OR (index=too3 field3=*)
| bin _time span=w
| stats count by index _time
I hope this will help you.
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is great! Thank you so much for all of your help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you looking for something this?
Just execute for last 7 days OR week.
index=tool OR index=tool2 OR index=tool3
| stats count by index | addcoltotals
OR
index=tool OR index=tool2 OR index=tool3
| stats count
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this
index=tool OR index=tool2 OR index=tool3
| bin _time span=1w
| stats count by index _time
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
