Splunk Search

How to have all of the CLTW workstations to be summed up as 1 count and so forth for the other locations?

jialiu907
Path Finder

I am having trouble with using the time chart command effectively to make count of all workstations and with them broken down by location over time. 

Currently my search is displaying each count of every workstation by location, but instead  I am trying to have a sum count of the workstations displayed over every day.

This is the current search.

 

 

index=main $WSprefix$ sourcetype=syslog process=elcsend "\"config " CentOS 
| rex "([^!]*!){2}(?P<type>[^!]*)!([^!]*!){4}(?P<role>[^!]*)!([^!]*!){23}(?P<vers>[^!]*)"  
| dedup host 
| search role=std-dhcp
| timechart span=1d count by host

 

 

This is one output for a location.

jialiu907_0-1684437117927.png

This is an output for another location.

jialiu907_1-1684437235015.png

I have implemented a dropdown menu that selects the location based on the hosts prefix.

I am looking to have all of the CLTW workstations to be summed up as 1 count and so forth for the other locations.

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try setting all to "" and setting the values of the other choices to just the location then use this search

index=main host=$token$* sourcetype=syslog process=elcsend "\"config " CentOS 
| rex "([^!]*!){2}(?P<type>[^!]*)!([^!]*!){4}(?P<role>[^!]*)!([^!]*!){23}(?P<vers>[^!]*)"  
| dedup host 
| search role=std-dhcp
| eval location=$token|s$
| timechart span=1d count by location

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| eval location=mvindex(split(host,"/"),0)
| timechart span=1d count by location
0 Karma

jialiu907
Path Finder

The results still being displayed is that each host is counted as one, when what I am looking for is for all of the host to be summed up.

For reference, for the input dropdown menu, the token I am using is ALL="host=*", CLTW="host=cltw", ORLA="host=orla*", etc.  

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK I misread your picture (that's the problem with using graphics rather than pasting text into code blocks </>!)

Try changing your drop down to 

ALL="host=", CLTW="host=cltw", ORLA="host=orla", etc.

Then use

$token$*

in your search, i.e. remove the * from the token and append it where it is used.

That way you can use

| eval location=$token|s$
0 Karma

jialiu907
Path Finder

Where are you suggesting to put?

$token$*

I have tried putting that in Token in the editing option of the dropdown and it is invalid.

Currently my dropdown list looks like this.

jialiu907_0-1684511082067.png

I have tried changing to your suggestion of  

ALL="host=", CLTW="host=cltw", ORLA="host=orla", etc.

but without the *, the search doesn't work. I assume it's due to the fact there are multiple hosts that starts with "cltw", "orla", etc, and none that is exactly just "cltw" or "orla". 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Where are you using the token in your search?

0 Karma

jialiu907
Path Finder
index=main $token$ sourcetype=syslog process=elcsend "\"config " CentOS 
| rex "([^!]*!){2}(?P<type>[^!]*)!([^!]*!){4}(?P<role>[^!]*)!([^!]*!){23}(?P<vers>[^!]*)"  
| dedup host 
| search role=std-dhcp
| eval location=$token|s$
| timechart span=1d count by location

This is my current search

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try setting all to "" and setting the values of the other choices to just the location then use this search

index=main host=$token$* sourcetype=syslog process=elcsend "\"config " CentOS 
| rex "([^!]*!){2}(?P<type>[^!]*)!([^!]*!){4}(?P<role>[^!]*)!([^!]*!){23}(?P<vers>[^!]*)"  
| dedup host 
| search role=std-dhcp
| eval location=$token|s$
| timechart span=1d count by location

jialiu907
Path Finder

jialiu907_0-1684518601143.png

I have done your suggestions and I am looking to see what I should put in the Token field. Currently the input menu is displaying "could not create search" as I think the connection  from the search and to the dropdown menu is broken.

jialiu907_1-1684518759565.png

This is what I have done with the dropdown menu as well

0 Karma

jialiu907
Path Finder

I think I fixed the situation with the "could not create search" as I just deleted the dropdown menu and made it again, the exact same way. I'm not sure what caused the issue but the connection does seem to work now.

Thank you for helping me through all this trouble!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...