Splunk Search

How to separate the count of two fields into ranges?

skelly99
Explorer

Hi - I have a dataset which contains two scan dates fields per server. There are 50000 events in the dataset, one event per server.

hostname, days_since_hw_scan, days_since_sw_scan
server1,2,3
server2,20,10
server3,5,19
....
...

I want to summarise the data set so that I have a count of both scan date fields within a range of days, eg

Range of Days. hw_host_scan_count, sw_host_scan_count
0-5, x , y
6-10, x , y
11-15, x, y
...
...

I can get this OK for one of the field using the chart command below but I am looking for a table which includes both fields.

chart count by hw_host_scan_count span=5

Any suggestions appreciated.

Thanks.

1 Solution

harishalipaka
Motivator

hi @skelly99

can you try like this

|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as hw_host_scan_count by days_since_hw_scan span=5 |rename days_since_hw_scan as days_since_sw_scan

|join days_since_sw_scan [|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as sw_host_scan_count by days_since_sw_scan span=5 ]
Thanks
Harish

View solution in original post

0 Karma

harishalipaka
Motivator

hi @skelly99

can you try like this

|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as hw_host_scan_count by days_since_hw_scan span=5 |rename days_since_hw_scan as days_since_sw_scan

|join days_since_sw_scan [|makeresults |eval hostname="server1" ,days_since_hw_scan=2,days_since_sw_scan=3 |append [|makeresults |eval hostname="server2" ,days_since_hw_scan=20,days_since_sw_scan=10 ] |append [|makeresults |eval hostname="server3" ,days_since_hw_scan=5,days_since_sw_scan=19 ] |table hostname, days_since_hw_scan, days_since_sw_scan |chart count as sw_host_scan_count by days_since_sw_scan span=5 ]
Thanks
Harish
0 Karma

skelly99
Explorer

Hi - thanks that helped - I had thought I'd done this previously without the need for the join but can't find the search so perhaps I am imagining this.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...