Solved: How can I display the count of host in the header?

lucien62 · ‎03-22-2018

Hello,

First of all I'm a splunk noob, I just got started and i'm learning...
I have a simple search that returns a timestamp for each host:

host       _time
x          2018-03-22 21:50
y          2018-03-22 21:55
z          2018-03-22 22:00

I'd like to display the count of host in the header of table like this:

host(3)    _time
x          2018-03-22 21:50
y          2018-03-22 21:55
z          2018-03-22 22:00

How could I do that?
(Splunk 7)

maciep · ‎03-22-2018

I'm not sure that is very straight-forward in Splunk, so the search may be a bit convoluted. Do you want that count to be unique hosts in the lists? Or should it essentially be a count of rows in the results?

Maybe something like this?

<your search so far>
| eventstats dc(host) as num_hosts
| eval "host ({num_hosts})" = host
| table "host *" _time

View solution in original post

maciep · ‎03-22-2018

I'm not sure that is very straight-forward in Splunk, so the search may be a bit convoluted. Do you want that count to be unique hosts in the lists? Or should it essentially be a count of rows in the results?

Maybe something like this?

<your search so far>
| eventstats dc(host) as num_hosts
| eval "host ({num_hosts})" = host
| table "host *" _time

lucien62 · ‎03-23-2018

Thx, it did it !

How can I display the count of host in the header?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?

How can I display the count of host in the header?

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management