Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to separate the count of two fields into ranges?

skelly99
Explorer
‎08-29-2018 09:52 AM

Hi - I have a dataset which contains two scan dates fields per server. There are 50000 events in the dataset, one event per server.

hostname, days_since_hw_scan, days_since_sw_scan
server1,2,3
server2,20,10
server3,5,19
....
...

I want to summarise the data set so that I have a count of both scan date fields within a range of days, eg

Range of Days. hw_host_scan_count, sw_host_scan_count
0-5, x , y
6-10, x , y
11-15, x, y
...
...

I can get this OK for one of the field using the chart command below but I am looking for a table which includes both fields.

chart count by hw_host_scan_count span=5

Any suggestions appreciated.

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎08-30-2018 02:20 AM

hi @skelly99

can you try like this 

|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as hw_host_scan_count by days_since_hw_scan span=5 |rename days_since_hw_scan as days_since_sw_scan

|join days_since_sw_scan [|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as sw_host_scan_count by days_since_sw_scan span=5 ]
Thanks
Harish

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

harishalipaka
Motivator
‎08-30-2018 02:20 AM

hi @skelly99

can you try like this 

|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as hw_host_scan_count by days_since_hw_scan span=5 |rename days_since_hw_scan as days_since_sw_scan

|join days_since_sw_scan [|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as sw_host_scan_count by days_since_sw_scan span=5 ]
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

skelly99
Explorer
‎08-31-2018 12:22 AM

Hi - thanks that helped - I had thought I'd done this previously without the need for the join but can't find the search so perhaps I am imagining this.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...