Splunk Search

Finding total number for OOID

splunkman341
Communicator

Hi all,

I currently have a search that I need a little tweaking to get something else that I want.

So the current search :

index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")" | chart count by Client action | addtotals | sort 5 -Total

Looks up the five most active OOIDs by number, maps them to a name which I imported a lookup table for, then displays the count of actions for each OOID.

What I want to do now is to just get the total number of OOIDS per day, as opposed to finding the count for each one.

Can anyone lend a hand?

Thanks in advance for your responses.

Tags (1)
0 Karma
1 Solution

somesoni2
Revered Legend

How about this

index=test sourcetype=test "OOID Folder workspace" | timechart span=1d count(OOID) as OOID_Count

OR

index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")"| timechart span=1d count(Client) as OOID_Count

View solution in original post

splunkman341
Communicator

Thanks for your responses guys! All work like a dream!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps something like this?

index=test sourcetype=test "OOID Folder workspace" | stats dc(OOID) | ...

or maybe

index=test sourcetype=test "OOID Folder workspace" | timechart span=1d dc(OOID) | ...
---
If this reply helps you, Karma would be appreciated.

somesoni2
Revered Legend

How about this

index=test sourcetype=test "OOID Folder workspace" | timechart span=1d count(OOID) as OOID_Count

OR

index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")"| timechart span=1d count(Client) as OOID_Count

landen99
Motivator

Count gives the number of events with the ooid field. DC is the correct function.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...