Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combining results in a search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a search that graphs the number of events based on host name. It even colour codes into Windows and Linux hosts. The search goes like this:
(index="main" OR index="win*")
| stats count as total by host,index
| eval host=lower(host)
| sort host
| eval Linux = if(index=="main",total, 0)
| eval Windows = if((index == "windows") or (index == "wineventlog"), total, 0)
| fields host Linux Windows
This works exactly as expected except in the scenario when a host reports via two different indexes. When this occurs, the host is shown twice. Once for each index.
For example, host server1 has data indexed to Windows and to WinEventLog so two enteries appear for server1 (one for each index).
My question is, how can I get the search to combine the counts into a single entry so that I only see each host once.
I've tried something like "| eval Windows = if(index like "win%", total, 0)" but that does not give the desired result.
Any suggestions greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After line 6, add a | stats sum(Linux) as Linux, sum(Windows) as Windows by host. This should take all of the numeric values for all indexes post-characterization of Linux or Windows and sum them by host.
The alternative is to put your two eval statements first, and then using the same command I showed above in place of your stats command, but that option might be slightly more expensive. You can try them both and assuming they return the same values, pick whichever one returns faster!
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The reason eval won't work to combine two rows is that it's a streaming command https://docs.splunk.com/Documentation/Splunk/8.0.0/Search/Typesofcommands#Streaming_and_non-streamin... and works on an event level, while stats, which I suggest below, is a transforming command (transforms after all rows are indexed and can do aggregations like you're interested in doing).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After line 6, add a | stats sum(Linux) as Linux, sum(Windows) as Windows by host. This should take all of the numeric values for all indexes post-characterization of Linux or Windows and sum them by host.
The alternative is to put your two eval statements first, and then using the same command I showed above in place of your stats command, but that option might be slightly more expensive. You can try them both and assuming they return the same values, pick whichever one returns faster!
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That did the trick. Thank you @aberkow
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
