Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Converting a field from a string to a number

jason_hotchkiss
Communicator
‎07-15-2021 08:07 AM

So, long story short...

I am trying to determine the event count by source, which host is producing the most events in that source, and who owns the host (custom_field).

Any suggestions on how to accomplish this would be helpful.  Thank you.

This is what I have tried so far:  

| tstats count as events where index=wineventlog sourcetype=* by _time host custom_field source
| search custom_field=unit1 OR custom_field=unit_2 OR custom_field=unit_3

Then I run a stats command to collect the event count, then list the event count by the custom_field

| stats
  sum(events) as total_events
  list(events) as event_counts
  list(source) as source
  list(host) as host
  by custom_field

I understand that event_counts is now a string.  However, I would like to be able to use these numbers to determine which source is producing the most events by each custom_field.

I have tried:

| convert num(event_counts)
| eval num_events = tonumber(event_counts)

But these don't work unless I use

| mvexpand event_counts 

This then skews the results to where they don't make any sense.  I want to convert the event_count field to a number so I can make a chart or a timechart from it as well to analyze the growth over time.

Thanks in advanced.





                                                  

Labels (6)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 09:38 AM

@jason_hotchkiss 

After your initial search,

| tstats count as events where index=wineventlog sourcetype=* by _time host custom_field source
| search custom_field=unit1 OR custom_field=unit_2 OR custom_field=unit_3

 

I would like you to try with eventstats command,  using this search you will have sum of events by source and custom_field. 

| eventstats sum(events) as event_counts by source,custom_field

You can change it as your requirement, 

| eventstats sum(events) as event_counts by host,source

Another reason using eventstats, in case you want to use timechart then it requires _time files but after stats command you mentioned in question _time won't be there. with event stats you will have _time with you.

Then you can try 

| chart sum(events) as event_counts over custom_field by host

OR

| timechart sum(events) as event_counts by custom_field

From timechart I am trying to determine the total count of events for each host by custom_field

Timechart allow only single by clause so may be you can try above one

I hope this will help you. Just try it and let me know if you need any help.

 

View solution in original post

Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 08:33 AM

@jason_hotchkiss 

Can you please share your requirement what you want to achieve from tstats , stats and then timechart commands? If you share more details then we can suggest optimised solution.

 

0 Karma
Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎07-15-2021 09:13 AM

From tstats I am trying to count events by source host custom_field _time

From stats I am trying to determine total events for each source and the host using that source.

From timechart I am trying to determine the total count of events for each host by custom_field


0 Karma
Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-15-2021 09:38 AM

@jason_hotchkiss 

After your initial search,

| tstats count as events where index=wineventlog sourcetype=* by _time host custom_field source
| search custom_field=unit1 OR custom_field=unit_2 OR custom_field=unit_3

 

I would like you to try with eventstats command,  using this search you will have sum of events by source and custom_field. 

| eventstats sum(events) as event_counts by source,custom_field

You can change it as your requirement, 

| eventstats sum(events) as event_counts by host,source

Another reason using eventstats, in case you want to use timechart then it requires _time files but after stats command you mentioned in question _time won't be there. with event stats you will have _time with you.

Then you can try 

| chart sum(events) as event_counts over custom_field by host

OR

| timechart sum(events) as event_counts by custom_field

From timechart I am trying to determine the total count of events for each host by custom_field

Timechart allow only single by clause so may be you can try above one

I hope this will help you. Just try it and let me know if you need any help.

 

Reply
Solved! Jump to solution

jason_hotchkiss
Communicator
‎07-20-2021 07:18 AM

This has been most helpful.  I was able to use your examples to create my dashboard.  Thank you for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...