Solved: How to write a search to list the count of the num...

albyva · ‎01-19-2015

How can I get splunk to count the number of times an ID appears and to list the last date it was found?

Splunk Data:

Jan 19 21:35:27 score="9.3", ip=192.168.2.1, id=123, name="blahblah1"
Jan 19 21:35:28 score="1.0", ip=192.168.2.2, id=456, name="blahblah2"
Jan 19 21:35:29 score="2.5", ip=192.168.2.3, id=789, name="blahblah3"
Jan 19 21:35:30 score="9.3", ip=192.168.2.4, id=123, name="blahblah1"

What I want to see is an output that looks like:

COUNT ID   NAME      SCORE  DATE
-------------------------------------------
2     123  blahblah1  9.3   Jan 19 21:35:30    (note the last date)
1     456  blahblah2  1.0   Jan 19 21:35:28
1     789  blahblah3  2.5   Jan 19 21:35:29

What I've been doing is running:

searchstring | stats count by id name score

and that gets me most of what I need, but I can't seem to incorporate the latest Date without it screwing up everything.
Any suggestions?

Thanks,

albyva · ‎01-19-2015

I figured it out.

searchstring | stats count latest(_time) as LastHit by id, name, score | convert ctime(LastHit)

View solution in original post

albyva · ‎01-19-2015

I figured it out.

searchstring | stats count latest(_time) as LastHit by id, name, score | convert ctime(LastHit)

How to write a search to list the count of the number of times an ID appears and the timestamp it was last found?

Changes to Splunk Instructor-Led Training Completion Criteria

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3