index=rhwindows sourcetype="WinEventLog:System" Type=Error OR Type=Warning NOT (*PrintSpooler OR *SpoolerWin32SPL) earliest=-24h@h latest=now | chart count over host by SourceName
Hopefully simple one:
Given the search above how do I only display counts that are greater then one for SourceName of a host.
Thanks.
I had a similar need, this worked for me:
...| stats count as Total by host, SourceName | search Total > 5 | chart last(Total) over host by SourceName
Finally got back to this:
Found this post:
http://splunk-base.splunk.com/answers/56425/counting-distinct-field-values-and-dislaying-count-and-v...
Using this idea I did something like this.
| stats count by SourceName host | search count > 2 | table SourceName, host, count | sort -count
Not the way I really wanted it but it works.
Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.
If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.
Trying to make it easier to read and see issue spots.
@dchodur, did you try my new search in my answer using streamstats?
Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.
If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.
Trying to make it easier to read and see issue spots.
Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.
If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.
Trying to make it easier to read and see issue spots.
Sort of, I dont want any host where the count in any column of the columns is less then 2. A lot of these systems generate some one off events, I do not want to display those. I would assume if a host has a 28 in a column the others will still need to be zero or 1 because the host is listed.
If there was a better way to chart/table these I would be up for that. Maybe a multi listing or something.
Trying to make it easier to read and see issue spots.
Apprechiate the response still not acting like I want. Maybe an example best.
host DnsApi Kerberos Microsoft-Windows-GroupPolicy Microsoft-Windows-Resource-Exhaustion-Detector Microsoft-Windows-Service Control Manager Microsoft-Windows-Time-Service PlugPlayManager Print Service Control Manager Eventlog Provider TermServDevices
1 CLAIMS 0 0 0 0 0 0 0 2 0 0
2 DIVSRV 0 0 0 0 0 6 0 0 0 0
3 MQVMa 0 0 0 0 0 0 226 0 0 0
4 MQVMb 0 0 0 0 0 0 0 0 0 1
5 PASSEXTN1 0 0 28 0 0 0 0 0 0 0
6 RHEDOC 0 0 0 0 0 0 0 0 0 1
7 VIPPsrv 1 0 0 0 0 7 0 0 0 0
I want to drop off systems like MQVMb, RHEDOC since they only have a count of one in any of the columns.
When I do the suggested way or anything where I seem to conditional count I loose systems lineMQVMa and the 226 or PASSEXTn1 28.
Sure I am just not building out the search correctly from the git go.
@dchodur,
I've added an update.
So you want to drop any host whos total sourceName count is less than 5?
I would use a where clause and stats. Keep in mind I am doing this off the cuff.
...|stats count by host, SourceName| where count>5 | chart count over host by SourceName
This may get you closer. Also might work better with subsearch.
...|stats count by host, SourceName| streamstats sum(count) as total_count by host |selfjoin host |where total_count>5 | chart count over host by SourceName