Splunk Enterprise Security

Trying to create a csv with time, count, and OS


Trying to create a csv file with information that includes the total count of systems, OS, and current time

| inputlookup managed_hosts
| get_os_cat(host_name, category)
| search category=server
| rename category AS os
| eval rel_time = now() - not sure if this is correct, but this will take the current time??

here is where I get a bit confused, I know that I need to keep OS, and current time, but when I run the command below I get rid of OS and the time

| stats count by host_name
| stats sum(count) as total
| table total os rel_time

not sure how to go about adding OS and time to the total count of servers eventually tabling the results
I want one column to show OS, one to show the time, and the last as count

I want to use this csv to build a trend graph over time that I will run the report on a weekly basis

Thank you for the help

0 Karma


the stats command dumps any information not asked for. You could try eventstats:
| eventstats sum(count) BY host_name AS Total


If this reply helps you, an upvote would be appreciated.
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...