Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create 1-up number (1-to-n) field for each event and create field that combines the 1-up number and total count

williamcharlton
Path Finder
‎03-18-2019 06:48 AM

I have a search that returns a event count total and produces a table

... | eventstats count AS Total | Table foo, bar, Total

Search result is, e.g.,

foo | bar | Total
fx1 | bx1 | 3
fx2 | bx2 | 3
fx3 | bx3 | 3

My goal is to produce a 4th column named "EventNumber" that shows "E of N" when E is the ordinal position of the event in the search results and N is the total number of events in the search rsults

foo | bar | Total | EventNumber
fx1 | bx1 | 3 | 1 of 3
fx2 | bx2 | 3 | 2 of 3
fx3 | bx3 | 3 | 3 of 3

So, something like

... eventstats count AS Total | Table Cluster, OwnerNode, RoleName, Total | eval EventNumber = ?????." of ".Total

How do I create a 1-up number (1-to-n) field for each event and create a field that combines the 1-up number and total count of events?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-18-2019 08:09 AM

Try like this

...| eventstats count AS Total 
| streamstats count as sno 
| eval EventNumber = sno." of ".Total
| Table Cluster, OwnerNode, RoleName, Total  EventNumber

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-18-2019 08:09 AM

Try like this

...| eventstats count AS Total 
| streamstats count as sno 
| eval EventNumber = sno." of ".Total
| Table Cluster, OwnerNode, RoleName, Total  EventNumber
Reply
Solved! Jump to solution

williamcharlton
Path Finder
‎03-18-2019 08:20 AM

I see - The streamstats command calculates statistics for each event at the time the event is seen

Good to know. Thank -you

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...