Splunk Search
Highlighted

How to search for and display all hosts that have more than 1 eventtype?

Explorer

is there a way to search for more than 1 eventtype for a single host and display the same in a stats table

fields available are

hostsname
eventtype= eg disk full, disk crash, cpu high

need to display all hosts which have more than 1 eventtype .eg a hostname with both cpu high and disk full

Tags (3)
0 Karma
Highlighted

Re: How to search for and display all hosts that have more than 1 eventtype?

SplunkTrust
SplunkTrust

Perhaps something like this?

index=foo | stats dc(eventtype) as eventCount by hostname | where eventCount > 1 | table hostname eventtype
---
If this reply helps you, an upvote would be appreciated.
0 Karma