Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding total number for OOID

splunkman341
Communicator
‎03-23-2016 11:04 AM

Hi all,

I currently have a search that I need a little tweaking to get something else that I want.

So the current search :

index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")" | chart count by Client action | addtotals | sort 5 -Total

Looks up the five most active OOIDs by number, maps them to a name which I imported a lookup table for, then displays the count of actions for each OOID.

What I want to do now is to just get the total number of OOIDS per day, as opposed to finding the count for each one.

Can anyone lend a hand?

Thanks in advance for your responses.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-23-2016 11:10 AM

How about this

index=test sourcetype=test "OOID Folder workspace" | timechart span=1d count(OOID) as OOID_Count

OR 

index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")"| timechart span=1d count(Client) as OOID_Count

View solution in original post

Reply
Solved! Jump to solution

splunkman341
Communicator
‎03-23-2016 11:30 AM

Thanks for your responses guys! All work like a dream!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-23-2016 11:11 AM

Perhaps something like this?

index=test sourcetype=test "OOID Folder workspace" | stats dc(OOID) | ...

or maybe

index=test sourcetype=test "OOID Folder workspace" | timechart span=1d dc(OOID) | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-23-2016 11:10 AM

How about this

index=test sourcetype=test "OOID Folder workspace" | timechart span=1d count(OOID) as OOID_Count

OR 

index=test sourcetype=test "OOID Folder workspace" | lookup client_ooid_to_name OOID OUTPUT clientName | eval Client=clientName . "(" . OOID . ")"| timechart span=1d count(Client) as OOID_Count
Reply
Solved! Jump to solution

landen99
Motivator
‎03-23-2016 12:17 PM

Count gives the number of events with the ooid field. DC is the correct function.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...