Solved: Re: Iterate through the results of a query

DJPillowhead · ‎02-16-2015

Hi All,

I have a query that gives me a result in a name value format in a table.
Basically I work with log lines and I'm counting how many times one field has a discreet value.

Log lines can be e.g.:

errorid=1 hostname=a value=1
errorid=1 hostname=b value=3
errorid=1 hostname=a value=2
errorid=1 hostname=c value=1
errorid=2 hostname=c value=1

I'm able to create a query like:

errorid=*| stats count(eval(errorid='1') by hostname as Host

or

errorid=* | stats count(eval(errorid='1') by value as Value

But what I'd need that get the result from the first query and run the second against that subset.
So I'd like to find out that how many error messages have value X on a given host and get this for all hosts that appear in these kind of messages.

Any ideas?

cchitten · ‎02-16-2015

does this work:

errorid=1 | stats count by hostname

View solution in original post

DJPillowhead · ‎02-16-2015

Output should be a table something like:

errorid | hostname | count
1 | a | 5
1 | b | 2
1 | c | 4
2 | a | 5

Runals · ‎02-16-2015

easy then - just a stats count by errorid hostname. Again though assuming you aren't wanting to do something with the field "value". Of course you could get all fancy and do something like

... | stats count by error hostname value | sort hostname | stats sum(count) as total_events list(hostname) as hostname list(value) as value by error

Since you seem to be interested in the error messages. If you wanted to focus more on the errors from a particular host you could reverse that to

... | stats count by error hostname value | sort hostname | stats sum(count) as total_events list(error) as error list(value) as value by hostname

Of course I'm partial to that sort of formatting but it doesn't translate well to PDF or csv output.

Runals · ‎02-16-2015

With your interaction with cchitten I'm not really sure what you are asking. Have you tried

errorid=* | stats count by hostname errorid value | sort hostname errorid

That will give you the individual counts of unique events. You could then do additional stats or eventstats commands if you wanted to find other pieces of summary data. I guess if that doesn't help I'd suggest posting an example of hoped for outcome.

cchitten · ‎02-16-2015

does this work:

errorid=1 | stats count by hostname

DJPillowhead · ‎02-16-2015

Thanks, but that's written there in my question. I'd like to have a result that shows how many errors came with hostname "somehing" AND on a third column, how much of these had value x.

cchitten · ‎02-16-2015

you wrote "how many error messages have value 1" not value X. And your searches weren't even using the right field names. Thats where i thought you were going wrong.

You could simply use a subsearch:

 index=* [search index=* errorid=1 | table errorid] | stats count, dc(errorid), values(errorid) by hostname

DJPillowhead · ‎02-16-2015

Thanks for your answer, I've made my initial question more straightforward.

Iterate through the results of a query

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?