Solved: Display "stats" Search as a Single Value from Summ...

curry59 · ‎06-20-2017

Hello,

Normally, I would use the following search to find my single value:

| tstats latest(_time) as latest where host=($SERVERNAME) by host
| eval noDataTime = now() - latest
| eval status = if(noDataTime>600,"HOST DOWN" ,if(noDataTime>300,"Warning","Available"))
| stats count(eval(status="Available")) AS Available

I am now forwarding the machine data to a summary index that my host names are now listed as "orig_host" in the fields. This will not allow me to run tstats, so I made the following search to find the status of the servers:

orig_host=("$SERVERNAME)
| stats latest(_time) as latest by orig_host
| eval noDataTime = now() - latest
| eval status = if(noDataTime>600,"HOST DOWN" ,if(noDataTime>300,"Warning","Available"))
| convert ctime(latest)

This will list the servers and show their status as HOST DOWN, Warning and Available. I would like to convert this to a single value, which in the past I used "stats count", but have already used "stats" in the search previously. How would I change my search of "orig_host" to a single value? Thank you!

jplumsdaine22 · ‎06-20-2017

You can use stats twice if you like! Just append

| stats count(eval(status="Available")) AS Available

to the end of the search

View solution in original post

jplumsdaine22 · ‎06-20-2017

You can use stats twice if you like! Just append

| stats count(eval(status="Available")) AS Available

to the end of the search

Display "stats" Search as a Single Value from Summary Index

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout