Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Dev
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- Can you help me count the values of two different ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
10-17-2018
07:10 AM
Hello
I use the code below in order to count the number of hosts by OS and by build. But, it doesn't work.
Could you help me please??
host=*
index="windows" sourcetype="wineventlog"
SourceName="*" Type="Critique" OR Type="*"
| dedup host
| stats count by host
| join host [search index=windows sourcetype=winregistry key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion"
OR
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
|eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null),
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null)
| stats values(data) as OS by host]
| stats count values(host) by OS, Build
| rename count as Total
| table OS Build Total
| sort -Total limit=10
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-17-2018
07:25 AM
Give this a try
host=*
index="windows" sourcetype="wineventlog" SourceName="*" Type="Critique" OR Type="*"
| dedup host
| stats count by host
| append [search index=windows sourcetype=winregistry key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion"
OR
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
|eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null),
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null)
| stats latest(OS) as OS latest(Build) as Build by host ]
| stats values(OS) as OS values(Build) as Build by host
| stats count as Total by OS Build
| sort -Total limit=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
10-17-2018
07:34 AM
i think
| stats count values(host) by OS, Build
is wrong..
try -
index=* | stats values(host) as HostCount by OS Build
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-17-2018
07:25 AM
Give this a try
host=*
index="windows" sourcetype="wineventlog" SourceName="*" Type="Critique" OR Type="*"
| dedup host
| stats count by host
| append [search index=windows sourcetype=winregistry key_path="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion"
OR
key_path="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId"
|eval OS=if(key_path=="\\registry\\machine\\software\\wow6432node\\x\\master\\WindowsVersion",data, null),
Build=if(key_path=="\\registry\\machine\\software\\microsoft\\windows nt\\currentversion\\ReleaseId",data,null)
| stats latest(OS) as OS latest(Build) as Build by host ]
| stats values(OS) as OS values(Build) as Build by host
| stats count as Total by OS Build
| sort -Total limit=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
10-17-2018
11:56 PM
thanks a lot it s perfect
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...
Shape the Future of Splunk: Join the Product Research Lab!
Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...
Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal
You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...
