Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append Columns to Top Output

samhodgson
Path Finder
‎03-26-2018 03:13 AM

Hi,

I have the following search and I would like to enumerate a total event count prior to the Top function and then append it to the results:

`nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
(eventname="HOST ALERT" NOT status_code="UP")) 
| eval name=if(eventname=="HOST ALERT","Host",service) 
| top eventname,host_name,name limit="100"

The macro's at the start just specify the index and sourcetype. From what I can tell there is no way to append columns to Top's output? Any help on the best way to achieve the desired output would be greatly appreciated!

Cheers

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-26-2018 03:20 AM

Hey

Can you use eventstats before doing the count?

 `nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
 (eventname="HOST ALERT" NOT status_code="UP")) 
 | eval name=if(eventname=="HOST ALERT","Host",service) 
 | eventstats count(whatever_you_want_to_count) as CountField
 | top eventname,host_name,name,CountField limit="100"

View solution in original post

Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-26-2018 03:20 AM

Hey

Can you use eventstats before doing the count?

 `nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
 (eventname="HOST ALERT" NOT status_code="UP")) 
 | eval name=if(eventname=="HOST ALERT","Host",service) 
 | eventstats count(whatever_you_want_to_count) as CountField
 | top eventname,host_name,name,CountField limit="100"
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...