Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to show all data of one field?

userQ
Loves-to-Learn
‎11-22-2022 02:31 AM

Hello, I put them in context before showing the query.

I have a splunk that I test on it to see the query results because I don't have access to the splunk that has the data.

I have a query that shows me the result of these two hostnames, but I need this same result but on all hostnames, not just these two.

 

I have 2 queries.

The first query gets me the results of the two teams, although I don't know if it does it because I have the data inserted (I can't find it by index) or it puts them because I use the makeresults (I read that it works in cache and the data doesn't have to be).

|makeresults
| eval EventCode="20", hostname="wdv01ssps,DESCASSOAW01", error_code="0x80070003 0x80004004"|makemv delim="," hostname | makemv delim=" " EventCode|makemv delim=" " error_code
| mvexpand EventCode |mvexpand hostname |mvexpand error_code|table hostname EventCode error_code

 

I'd like to use the latter as it's easier for me to display results from hostname, in this case it's called ComputerName.

How can I do to show all ComputerName with these same filters?

index=sistemi sourcetype="wineventlog" TaskCategory="Windows Update Agent" AND EventCode IN (20, 27)
| eval day_of_week = lower(strftime(_time, "%A"))
| eval date_string = strftime(_time, "%Y-%m-%d")
| eval Weekend=if(day_of_week="saturday" OR day_of_week="sunday",1,null())
| search Weekend=1
| stats count by Message EventCode ComputerName date_string
| stats list(Message) by ComputerName date_string EventCode

It may simply not be possible to list all the computer names without listing them one by one.

Thanks.

Labels (1)
Labels
0 Karma
Reply

userQ
Loves-to-Learn
‎11-22-2022 04:42 AM

Hi, sorry if I didn't explain myself well.
I would like to get all the hostnames instead of just naming those two, for example: hostname=*

Referencing the * as all the hostnames there are.

I know the * doesn't work in splunk like in programming languages, it only worked with index=* but not inside the query with the data.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2022 05:36 AM

Why do you think * only works for index?

By not restricting the hostname i.e. not using a filter, you will be getting events for all hostnames. This is almost the same as hostname=* except that hostname=* will ensure hostname is not null.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-22-2022 03:54 AM

I am not sure what you are asking for - all the computer names are listed by the stats call. Do you just want the computer names?

| stats values(ComputerName) as ComputerName
0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...