Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on fields command which doesnt works

jip31
Motivator
‎02-27-2020 06:07 AM

hi

I use the search below in order to count the number of degradation by model
This search is a scheduled search and I call it from my dashboard with a loadjob command
In my dashboard, I have a dropdwon list which allows to filter the data by SITE (test.csv field)
For doing that, I need to jeep the field SITE in my search

| lookup test.csv HOSTNAME as host output SITE MODEL 
| stats values (MODEL) as Model, count(DegradationTime) as DegradationTime by host 
| stats count(host) as "Number of degradation" by Model 
| sort -"Number of degradation"

So I add "by SITE" at the end of my stats command

    | lookup test.csv HOSTNAME as host output SITE MODEL 
    | stats values (MODEL) as Model, count(DegradationTime) as DegradationTime by host SITE
    | stats count(host) as "Number of degradation" by Model SITE
    | sort -"Number of degradation"

But when I am doing this, I have double models because a same model can exist for different SITE
So how to keep the field SITE available for using it in my dropdwon list without displaying double models?
Please note that I dont need this field visible in my table panel

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

anmolpatel
Builder
‎03-02-2020 03:18 AM

This might be what you need:

| stats count(DegradationTime) as DegradationTime dc(host) as "Number of degradation" by MODEL SITE
| stats values(DegradationTime) as DegradationTime sum("Number of degradation") as "Number of degradation" values(SITE) as SITE by MODEL
| sort - "Number of degradation" 
| fields - SITE

Corrected an error: from values("Number of degradation") to sum("Number of degradation")

I tested on this:
Degradation Model SITE host
4 Mazda3 AAA 1
5 Mazda3 AAB 2
1 Mercedes MMM 3

and I got this:
Model DegradationTime Number of degradation
Mazda3 1 2
Mercedes 1 1

As per your description, it meets the output criteria.

View solution in original post

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...