- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need help in 2 stats operator
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
need help in using 2 stats operation in one program.
My program:
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| table nodelabel,Status,Time
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| table nodelabel,Status,Time, sitecode
Output Table :
| nodelabel | Status | Time | sitecode |
| AOKWA1 | Down | 1/20/2021 20:36 | KWA |
| BXTPR | Down | 1/20/2021 20:34 | TPR |
| UKHCO | Down | 1/20/2021 20:32 | HCO |
| AOKWA3 | Down | 1/20/2021 20:30 | KWA |
| AOKWA2 | Down | 1/20/2021 20:29 | KWA |
| AOKWA4 | Down | 1/20/2021 20:18 | KWA |
Here I have KWA 4 times.
Requirement : i need to filter only those sitescodes which are greater than 3 numbers.( all KWA only should be listed in my required output table, ignore all with sitecode count less than 3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @jerinvarghese ,
Try this:
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| eventstats count by sitecode
| where count > 3
| table nodelabel, Status, Time, sitecode
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, that is not giving me the correct value. its calculating the event's previous occurrence count rather than the count of sitecode.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've updated my answer please check it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @jerinvarghese ,
Try this:
index=opennms "uei.opennms.org/nodes/nodeUp" OR "uei.opennms.org/nodes/nodeDown"
| rex field=eventuei "uei.opennms.org/nodes/node(?<Status>.+)"
| stats max(_time) as Time latest(Status) as Status by nodelabel
| lookup ONMS_nodes.csv nodelabel OUTPUT sitecode
| eventstats count by sitecode
| where count > 3
| table nodelabel, Status, Time, sitecode
If this reply helps you, an upvote/like would be appreciated.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
