Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append Columns to Top Output

samhodgson
Path Finder
‎03-26-2018 03:13 AM

Hi,

I have the following search and I would like to enumerate a total event count prior to the Top function and then append it to the results:

`nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
(eventname="HOST ALERT" NOT status_code="UP")) 
| eval name=if(eventname=="HOST ALERT","Host",service) 
| top eventname,host_name,name limit="100"

The macro's at the start just specify the index and sourcetype. From what I can tell there is no way to append columns to Top's output? Any help on the best way to achieve the desired output would be greatly appreciated!

Cheers

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-26-2018 03:20 AM

Hey

Can you use eventstats before doing the count?

 `nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
 (eventname="HOST ALERT" NOT status_code="UP")) 
 | eval name=if(eventname=="HOST ALERT","Host",service) 
 | eventstats count(whatever_you_want_to_count) as CountField
 | top eventname,host_name,name,CountField limit="100"

View solution in original post

Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-26-2018 03:20 AM

Hey

Can you use eventstats before doing the count?

 `nagios_index` `nagios_core_sourcetype` host_name="*" ((eventname="SERVICE ALERT" NOT status_code="OK") OR 
 (eventname="HOST ALERT" NOT status_code="UP")) 
 | eval name=if(eventname=="HOST ALERT","Host",service) 
 | eventstats count(whatever_you_want_to_count) as CountField
 | top eventname,host_name,name,CountField limit="100"
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros?Join  Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...