Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need help in 2 stats operator
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
need help in using 2 stats operation in one program.
My program:
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| table nodelabel,Status,Time
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table nodelabel,Status,Time, sitecode
Output Table :
| nodelabel | Status | Time | sitecode |
| AOKWA1 | Down | 1/20/2021 20:36 | KWA |
| BXTPR | Down | 1/20/2021 20:34 | TPR |
| UKHCO | Down | 1/20/2021 20:32 | HCO |
| AOKWA3 | Down | 1/20/2021 20:30 | KWA |
| AOKWA2 | Down | 1/20/2021 20:29 | KWA |
| AOKWA4 | Down | 1/20/2021 20:18 | KWA |
Here I have KWA 4 times.
Requirement : i need to filter only those sitescodes which are greater than 3 numbers.( all KWA only should be listed in my required output table, ignore all with sitecode count less than 3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @jerinvarghese ,
Try this:
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| eventstats count by sitecode
| where count > 3
| table nodelabel, Status, Time, sitecode
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, that is not giving me the correct value. its calculating the event's previous occurrence count rather than the count of sitecode.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've updated my answer please check it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @jerinvarghese ,
Try this:
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| eventstats count by sitecode
| where count > 3
| table nodelabel, Status, Time, sitecode
If this reply helps you, an upvote/like would be appreciated.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
