Solved: Re: Create 1-up number (1-to-n) field for each eve...

williamcharlton · ‎03-18-2019

I have a search that returns a event count total and produces a table

... | eventstats count AS Total | Table foo, bar, Total

Search result is, e.g.,

foo | bar | Total
fx1 | bx1 | 3
fx2 | bx2 | 3
fx3 | bx3 | 3

My goal is to produce a 4th column named "EventNumber" that shows "E of N" when E is the ordinal position of the event in the search results and N is the total number of events in the search rsults

foo | bar | Total | EventNumber
fx1 | bx1 | 3 | 1 of 3
fx2 | bx2 | 3 | 2 of 3
fx3 | bx3 | 3 | 3 of 3

So, something like

... eventstats count AS Total | Table Cluster, OwnerNode, RoleName, Total | eval EventNumber = ?????." of ".Total

How do I create a 1-up number (1-to-n) field for each event and create a field that combines the 1-up number and total count of events?

somesoni2 · ‎03-18-2019

Try like this

...| eventstats count AS Total 
| streamstats count as sno 
| eval EventNumber = sno." of ".Total
| Table Cluster, OwnerNode, RoleName, Total  EventNumber

View solution in original post

somesoni2 · ‎03-18-2019

Try like this

...| eventstats count AS Total 
| streamstats count as sno 
| eval EventNumber = sno." of ".Total
| Table Cluster, OwnerNode, RoleName, Total  EventNumber

williamcharlton · ‎03-18-2019

I see - The streamstats command calculates statistics for each event at the time the event is seen

Good to know. Thank -you

Create 1-up number (1-to-n) field for each event and create field that combines the 1-up number and total count

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?