Solved: How to write a search to find the count and group ...

Velugs · ‎12-09-2015

Dear All,

I am new to Splunk and got a request to create dashboard on Splunk. Criteria is to collect/group linkdown traps and need to have a count based on interface.

So example output needs to be like

Host --- Interface --- Count

Right now I am able to get Host --Count, but need to edit the search such that I get a count based on Interface and not host. Hope this is clear.

Kind Regards

renjith_nair · ‎12-09-2015

Try this :

<your search> |stats count,latest(Host) as Host by Interface

This can be modified to your final requirement

Happy Splunking!

View solution in original post

renjith_nair · ‎12-09-2015

Try this :

<your search> |stats count,latest(Host) as Host by Interface

This can be modified to your final requirement

Happy Splunking!

Velugs · ‎12-14-2015

Hey Thank you.. just want to update the forum .. I got it..

index=XXX sourcetype="YYY" "Server Interface Down" | rex "(?i) Interface Down on (?P[^ ]+)" | rex "on [^ ]+ - (?P[^\"]+)" | stats count,latest(Description) as Description by host,Interface | search count >=100 | sort - count

Velugs · ‎12-14-2015

Hi Thank you.. well using the below I get Interface--count--host any chance I modify the output such as I can see host--interface--count

Velugs · ‎12-10-2015

Thanks for your time

it worked but with the below command

index=XXX sourcetype="YYY" "Server Interface Down" | head 10000  | rex "(?i) Interface Down on (?P[^ ]+)" | stats count,latest(host) as host by INTERFACE

Thank you Renjith 🙂

renjith_nair · ‎12-10-2015

Just replace latest(host) by values(host) to display all hosts in case there are multiple values

Happy Splunking!

How to write a search to find the count and group linkdown traps based on interface?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms