Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Converting a field from a string to a number

jason_hotchkiss
Communicator
‎07-15-2021 08:07 AM

So, long story short...

I am trying to determine the event count by source, which host is producing the most events in that source, and who owns the host (custom_field).

Any suggestions on how to accomplish this would be helpful.  Thank you.

This is what I have tried so far:  

| tstats count as events where index=wineventlog sourcetype=* by _time host custom_field source
| search custom_field=unit1 OR custom_field=unit_2 OR custom_field=unit_3

Then I run a stats command to collect the event count, then list the event count by the custom_field

| stats
  sum(events) as total_events
  list(events) as event_counts
  list(source) as source
  list(host) as host
  by custom_field

I understand that event_counts is now a string.  However, I would like to be able to use these numbers to determine which source is producing the most events by each custom_field.

I have tried:

| convert num(event_counts)
| eval num_events = tonumber(event_counts)

But these don't work unless I use

| mvexpand event_counts 

This then skews the results to where they don't make any sense.  I want to convert the event_count field to a number so I can make a chart or a timechart from it as well to analyze the growth over time.

Thanks in advanced.





                                                  

Labels (6)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 09:38 AM

@jason_hotchkiss 

After your initial search,

| tstats count as events where index=wineventlog sourcetype=* by _time host custom_field source
| search custom_field=unit1 OR custom_field=unit_2 OR custom_field=unit_3

 

I would like you to try with eventstats command,  using this search you will have sum of events by source and custom_field. 

| eventstats sum(events) as event_counts by source,custom_field

You can change it as your requirement, 

| eventstats sum(events) as event_counts by host,source

Another reason using eventstats, in case you want to use timechart then it requires _time files but after stats command you mentioned in question _time won't be there. with event stats you will have _time with you.

Then you can try 

| chart sum(events) as event_counts over custom_field by host

OR

| timechart sum(events) as event_counts by custom_field

From timechart I am trying to determine the total count of events for each host by custom_field

Timechart allow only single by clause so may be you can try above one

I hope this will help you. Just try it and let me know if you need any help.

 

View solution in original post

Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 08:33 AM

@jason_hotchkiss 

Can you please share your requirement what you want to achieve from tstats , stats and then timechart commands? If you share more details then we can suggest optimised solution.

 

0 Karma
Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎07-15-2021 09:13 AM

From tstats I am trying to count events by source host custom_field _time

From stats I am trying to determine total events for each source and the host using that source.

From timechart I am trying to determine the total count of events for each host by custom_field


0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 09:38 AM

@jason_hotchkiss 

After your initial search,

| tstats count as events where index=wineventlog sourcetype=* by _time host custom_field source
| search custom_field=unit1 OR custom_field=unit_2 OR custom_field=unit_3

 

I would like you to try with eventstats command,  using this search you will have sum of events by source and custom_field. 

| eventstats sum(events) as event_counts by source,custom_field

You can change it as your requirement, 

| eventstats sum(events) as event_counts by host,source

Another reason using eventstats, in case you want to use timechart then it requires _time files but after stats command you mentioned in question _time won't be there. with event stats you will have _time with you.

Then you can try 

| chart sum(events) as event_counts over custom_field by host

OR

| timechart sum(events) as event_counts by custom_field

From timechart I am trying to determine the total count of events for each host by custom_field

Timechart allow only single by clause so may be you can try above one

I hope this will help you. Just try it and let me know if you need any help.

 

Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎07-20-2021 07:18 AM

This has been most helpful.  I was able to use your examples to create my dashboard.  Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...