- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help combining results from different searches, ap...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help combining results from different searches, append vs. multisearch
Moderator Note: the below was originally posted as an Answer on an old question, but being it's own question it has been split out accordingly
index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* DisplayName="anysoftware*" host=prod1* | dedup host, DisplayName | stats count(host) as #_of_Hosts_with_package by DisplayName, DisplayVersion | append [search index=testindex sourcetype=host source="testindex://hostSoftware" host=prod1*| table host | search NOT [search iindex=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* | search "DisplayName"="anysoftware*" | dedup host | table host] | rename host as Hosts_Missing_software | stats count(Hosts_Missing_software) as #_Hosts_Missing_LeostreamAgent, list(Hosts_Missing_software) as Hosts_Missing_software]
The append do not yeild all of the results due to maxout limit. So moving to multisearch.
I am trying to do same search with multisearch but not working. Any help is much appreciated. TIA
| multisearch [search index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* | fields hos t| rename host as Hosts_raw_List | eval type="search1" ][index=testindex sourcetype=hostSoftware source="testindex://hostSoftware" host=prod1* Name="Anysoftware*" | fields host Name Version | rename host as hostwithpack | eval type="search2" ] | eval result=search1-search2.
my search1 results 12 hosts. (total number of hosts available)
search 2 results 11 hosts (Hosts with software installed)
I am looking for results like in table:
"Name" | Version | #ofhosts withsoftware | #of hosts without software | list of hosts with no software"
can anyone pls help!
TIA
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why not just
index=testindex sourcetype=host source="testindex://hostSoftware" host=prod1*
| eval FoundSoftware=if(DisplayName="anysoftware*",1,0)
| chart max(FoundSoftware) by host DisplayName
That will give you a chart with 1's for each host for each software that was found, and 0 for each software not found on that host.
You can switch host and DisplayName if you prefer the opposite orientation.
Then you can use the above results to calculate the two pieces of information that you want.
It you want to untable the results into one record per host per DisplayName, then this command will achieve that.
| untable host DisplayName FoundSoftware
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In moving this post, a comment providing more details from @psmp was lost:
Thanks for the reply.
index=powershell sourcetype=sw_list source="powershell://cw_list" host=prod* | stats list(host)
This Query Yields 5 hosts.
Host 1
Host2
Host3
Host4
Host5
index=powershell sourcetype=sw_list source="powershell://cw_list" host=prod* packagename="Mysoftware" | stats count(host) by packagename packageversion
host packageName packageVersion
Host1 Mysoftware 1.0
Host3 Mysoftware 1.1
Host5 Mysoftware 1.0
I am looking for a Query that Yields below report:
PackageName PackageVersion Total_hosts_with_pkg Total_hosts_without ListOfHostMissingPack
Mysoftware 1.0 2 2 Host2
Mysoftware 1.1 1 Host4
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
