Solved: How do you count the total # of hostnames and the ...

DEAD_BEEF · ‎12-01-2018

I have network logs and sometimes the DNS name is there, and sometimes it isn't. I am struggling to create a simple table that shows me the total # of hostnames when there is a value and the total # when it is blank.

sample data

host       hostname
1.1.1.1    host-1.com
2.2.2.2
3.3.3.3    host-3.com
4.4.4.4    host-4.com
5.5.5.5

desired output

Named    Blank
3        2

current query

| tstats count where index=network by host prestats=t
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| eventstats count(eval(NOT hostname="*")) AS Blank count(eval(hostname="*")) AS Named by hostname

final working query

| tstats count where index=network by host 
| lookup dnslookup clientip as host OUTPUT clienthost as hostname
| stats count(eval(isnull(fqdn))) AS Blank count(eval(isnotnull(fqdn))) AS Named

whrg · ‎12-02-2018

Try it like this:

... | stats count(eval(isnull(hostname))) AS Blank count(eval(isnotnull(hostname))) AS Named

View solution in original post

whrg · ‎12-02-2018

Try it like this:

... | stats count(eval(isnull(hostname))) AS Blank count(eval(isnotnull(hostname))) AS Named

DEAD_BEEF · ‎12-02-2018

That worked perfectly, thanks @whrg! I was going in circles with eventstats.

How do you count the total # of hostnames and the total # when that value is blank.?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

How do you count the total # of hostnames and the total # when that value is blank.?

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases