Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help in 2 stats operator

jerinvarghese
Communicator
‎01-20-2021 07:16 AM

Hi All,

need help in using 2 stats operation in one program.

My program:

 

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel 
| table nodelabel,Status,Time
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table nodelabel,Status,Time, sitecode

 

Output Table : 

nodelabelStatusTimesitecode
AOKWA1Down1/20/2021 20:36KWA
BXTPRDown1/20/2021 20:34TPR
UKHCODown1/20/2021 20:32HCO
AOKWA3Down1/20/2021 20:30KWA
AOKWA2Down1/20/2021 20:29KWA
AOKWA4Down1/20/2021 20:18KWA

 

Here I have KWA 4 times.

Requirement : i need to filter only those sitescodes which are greater than 3 numbers.( all KWA only should be listed in my required output table, ignore all with sitecode count less than 3)

 

Labels (6)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:25 AM

hi @jerinvarghese ,

Try this:

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| eventstats count by sitecode
| where count > 3
| table nodelabel, Status, Time, sitecode

If this reply helps you, an upvote/like would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jerinvarghese
Communicator
‎01-20-2021 07:35 AM

Hi, that is not giving me the correct value. its calculating the event's previous occurrence count rather than the count of sitecode.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎01-20-2021 07:45 AM

I've updated my answer please check it.

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎01-20-2021 07:25 AM

hi @jerinvarghese ,

Try this:

index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| eventstats count by sitecode
| where count > 3
| table nodelabel, Status, Time, sitecode

If this reply helps you, an upvote/like would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...