Solved: How to name with statistic/visualization?

jialiu907 · ‎03-31-2023

I am new to Splunk and I wanted to make a dashboard to showcase the count of Linux machines and their distributions in the environment. I have gotten the search to be almost what I want except the output statistic is wrong in the naming.

This is the current search.

index=main host=* sourcetype=syslog process=elcsend "\"config " "CentOS Linux release 7.9.2009 (Core)" OR "Rocky Linux release 8.7 (Green Obsidian)" OR "Rocky Linux release 9.1 (Blue Onyx)" 
| rex "CentOS Linux release (?P<vers>\d.\d)" 
| eval vers = "CentOS ".vers 
| rex "Rocky Linux release (?P<vers>\d.\d)" 
| eval vers = "Rocky ".vers
| dedup host 
| stats count by vers
| addcoltotals label=Total labelfield=vers
| sort count desc

And this is the output.

I am looking to have "Rocky CentOS 7.9" to just be named "CentOS 7.9" while the others remain as they are.

richgalloway · ‎03-31-2023

The problem stems from the vers field already having "CentOS" added and then "Rocky " is added. Try extracting separate version fields.

index=main host=* sourcetype=syslog process=elcsend "\"config " "CentOS Linux release 7.9.2009 (Core)" OR "Rocky Linux release 8.7 (Green Obsidian)" OR "Rocky Linux release 9.1 (Blue Onyx)" 
| rex "CentOS Linux release (?P<vers>\d.\d)" 
| rex "Rocky Linux release (?P<vers>\d.\d)" 
index=main host=* sourcetype=syslog process=elcsend "\"config " "CentOS Linux release 7.9.2009 (Core)" OR "Rocky Linux release 8.7 (Green Obsidian)" OR "Rocky Linux release 9.1 (Blue Onyx)" 
| rex "CentOS Linux release (?P<Cvers>\d.\d)" 
| rex "Rocky Linux release (?P<Rvers>\d.\d)" 
| eval Cvers = "CentOS ".Cvers 
| eval Rvers = "Rocky ".Rvers
| eval vers = coalesce(Cvers, Rvers)
| dedup host 
| stats count by vers
| addcoltotals label=Total labelfield=vers
| sort count desc

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-31-2023

The problem stems from the vers field already having "CentOS" added and then "Rocky " is added. Try extracting separate version fields.

index=main host=* sourcetype=syslog process=elcsend "\"config " "CentOS Linux release 7.9.2009 (Core)" OR "Rocky Linux release 8.7 (Green Obsidian)" OR "Rocky Linux release 9.1 (Blue Onyx)" 
| rex "CentOS Linux release (?P<vers>\d.\d)" 
| rex "Rocky Linux release (?P<vers>\d.\d)" 
index=main host=* sourcetype=syslog process=elcsend "\"config " "CentOS Linux release 7.9.2009 (Core)" OR "Rocky Linux release 8.7 (Green Obsidian)" OR "Rocky Linux release 9.1 (Blue Onyx)" 
| rex "CentOS Linux release (?P<Cvers>\d.\d)" 
| rex "Rocky Linux release (?P<Rvers>\d.\d)" 
| eval Cvers = "CentOS ".Cvers 
| eval Rvers = "Rocky ".Rvers
| eval vers = coalesce(Cvers, Rvers)
| dedup host 
| stats count by vers
| addcoltotals label=Total labelfield=vers
| sort count desc

---
If this reply helps you, Karma would be appreciated.

How to name with statistic/visualization?

eval

fields

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation