Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get a count from certain process on multiple machines?

coldwolf7
Explorer
‎06-29-2023 02:22 PM

Hello,

So am trying to get a report of how many times in a month a certain process runs  on a machine and when the last it did

index=wss_desktop_perfmon sourcetype="wks:Perf_Process" instance!="_Total" instance!="idle" 
| where instance like "%bplus.wtk%"

So this is the start of the search. The process bplus.wtk in splunk can have multiple instances like 

bplus.wtk2#1

bplus.wtk2#2

bplus.wtk2#3

I do not care about the info past bplus.wtk I just want a count of how many times that shows up in month on a machine and count it

On that machine I want a report that looks like 

Computer  bplus.wtk  Last Time it Ran
workstation1 100 6/23/2023
workstation2  250 6/27/2023

 

I have tried Stats count and it is not working because I think it is a string value I am looking at and not a number value. 

Any help is appreciated

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2023 06:04 AM

Hi

I think that something like this should work

index=wss_desktop_perfmon sourcetype="wks:Perf_Process" instance="*" instance!="_Total" instance!="idle" 
| where instance like "%bplus.wtk%"
| stats count as "bplus.wtk" max(_time) as lastRun by Computer
| eval lastRun = strftime(lastRun, "%m/%d/%Y")
| table Computer "bplus.wtk" lastRun

Usually you should add that instance = "*xyz*" on first line, but as you have wildcard also in the beginning on it, it could be better (in point of performance) to have it separately? You should check it by Job Inspector. Also check if those instance!=xyz are better to drop or not as you are selecting only some specific instances on second line. Splunk is not good for != and NOT (in performance point of view).

r. Ismo

View solution in original post

Reply
Solved! Jump to solution

coldwolf7
Explorer
‎07-05-2023 11:29 AM

That worked perfectly. I did take out the where statement and put the instance = "*xyz*" on the first line and took out the != and ran so much faster

Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2023 06:04 AM

Hi

I think that something like this should work

index=wss_desktop_perfmon sourcetype="wks:Perf_Process" instance="*" instance!="_Total" instance!="idle" 
| where instance like "%bplus.wtk%"
| stats count as "bplus.wtk" max(_time) as lastRun by Computer
| eval lastRun = strftime(lastRun, "%m/%d/%Y")
| table Computer "bplus.wtk" lastRun

Usually you should add that instance = "*xyz*" on first line, but as you have wildcard also in the beginning on it, it could be better (in point of performance) to have it separately? You should check it by Job Inspector. Also check if those instance!=xyz are better to drop or not as you are selecting only some specific instances on second line. Splunk is not good for != and NOT (in performance point of view).

r. Ismo

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...