Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to find the count and group linkdown traps based on interface?

Velugs
Explorer
‎12-09-2015 10:33 PM

Dear All,

I am new to Splunk and got a request to create dashboard on Splunk. Criteria is to collect/group linkdown traps and need to have a count based on interface.

So example output needs to be like

Host --- Interface --- Count

Right now I am able to get Host --Count, but need to edit the search such that I get a count based on Interface and not host. Hope this is clear.

Kind Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-09-2015 11:22 PM

Try this :

<your search> |stats count,latest(Host) as Host by Interface

This can be modified to your final requirement

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎12-09-2015 11:22 PM

Try this :

<your search> |stats count,latest(Host) as Host by Interface

This can be modified to your final requirement

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

Velugs
Explorer
‎12-14-2015 08:05 AM

Hey Thank you.. just want to update the forum .. I got it.. 

index=XXX sourcetype="YYY" "Server Interface Down" | rex "(?i) Interface Down on (?P[^ ]+)" | rex "on [^ ]+ - (?P[^\"]+)" | stats count,latest(Description) as Description by host,Interface | search count >=100 | sort - count
Reply
Solved! Jump to solution

Velugs
Explorer
‎12-14-2015 05:03 AM

Hi Thank you.. well using the below I get Interface--count--host any chance I modify the output such as I can see host--interface--count

0 Karma
Reply
Solved! Jump to solution

Velugs
Explorer
‎12-10-2015 08:53 AM

Thanks for your time

it worked but with the below command 

index=XXX sourcetype="YYY" "Server Interface Down" | head 10000  | rex "(?i) Interface Down on (?P[^ ]+)" | stats count,latest(host) as host by INTERFACE

Thank you Renjith 🙂

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎12-10-2015 06:25 PM

Just replace latest(host) by values(host) to display all hosts in case there are multiple values

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...